b'            EVALUATION REPORT\n\n              Independent Evaluation of NRC\xe2\x80\x99s Implementation\n               of the Federal Information Security Management\n                       Act (FISMA) for Fiscal Year 2007\n\n                     OIG-07-A-19     September 28, 2007\n\n\n\n\nAll publicly available OIG reports (including this report) are accessible through\n                              NRC\xe2\x80\x99s Web site at:\n             http:/www.nrc.gov/reading-rm/doc-collections/insp-gen/\n\x0c                                          September 28, 2007\n\n\n\nMEMORANDUM TO:              Luis A. Reyes\n                            Executive Director for Operations\n\n\n\nFROM:                       Stephen D. Dingbaum /RA/\n                            Assistant Inspector General for Audits\n\n\nSUBJECT:                    INDEPENDENT EVALUATION OF NRC\xe2\x80\x99S\n                            IMPLEMENTATION OF THE FEDERAL INFORMATION\n                            SECURITY MANAGEMENT ACT (FISMA) FOR FISCAL\n                            YEAR 2007 (OIG-07-19)\n\n\nAttached is the Office of the Inspector General\xe2\x80\x99s (OIG) audit report titled, Independent\nEvaluation of NRC\xe2\x80\x99s Implementation of the Federal Information Security Management\nAct (FISMA) for Fiscal Year 2007.\n\nThis report presents the results of the subject audit. Agency comments provided at the\nexit conference on September 17, 2007, have been incorporated, as appropriate, into\nthis report. The agency provided formal comments, which appear in Appendix E of the\nreport. Appendix F contains the detailed OIG analysis of agency comments.\n\nPlease provide information on actions taken or planned on each of the\nrecommendations within 30 days of the date of this memorandum. Actions taken or\nplanned are subject to OIG follow up as stated in Management Directive 6.1. Note that\nthe recommendations made in the Fiscal Year 2005 and Fiscal Year 2006 FISMA\nevaluations, which are resolved but still require agency action in order to be closed, will\nnow be tracked under this year\xe2\x80\x99s FISMA report.\n\nWe appreciate the cooperation extended to us by members of your staff during the\naudit. If you have any questions or comments about our report, please contact me at\n415-5915, or Beth Serepca, Team Leader, Security and Information Management\nTeam, at 415-5911.\n\nAttachment: As stated\n\x0cElectronic Distribution\n\nFrank P. Gillespie, Executive Director, Advisory Committee on Reactor\n Safeguards/Advisory Committee on Nuclear Waste\nE. Roy Hawkens, Chief Administrative Judge, Atomic Safety and\n Licensing Board Panel\nKaren D. Cyr, General Counsel\nJohn F. Cordes, Jr., Director, Office of Commission Appellate Adjudication\nWilliam M. McCabe, Chief Financial Officer\nMargaret M. Doane, Director, Office of International Programs\nRebecca L. Schmidt, Director, Office of Congressional Affairs\nEliot B. Brenner, Director, Office of Public Affairs\nAnnette Vietti-Cook, Secretary of the Commission\nWilliam F. Kane, Deputy Executive Director for Reactor\n and Preparedness Programs, OEDO\nMartin J. Virgilio, Deputy Executive Director for Materials, Waste, Research,\n State, Tribal, and Compliance Programs, OEDO\nDarren B. Ash, Deputy Executive Director for Information Services\n and Chief Information Officer, OEDO\nVonna L. Ordaz, Assistant for Operations, OEDO\nTimothy F. Hagan, Director, Office of Administration\nCynthia A. Carpenter, Director, Office of Enforcement\nCharles L. Miller, Director, Office of Federal and State Materials\n and Environmental Management Programs\nGuy P. Caputo, Director, Office of Investigations\nEdward T. Baker, Director, Office of Information Services\nJames F. McDermott, Director, Office of Human Resources\nR. William Borchardt, Director, Office of New Reactors\nMichael F. Weber, Director, Office of Nuclear Material Safety and Safeguards\nJames E. Dyer, Director, Office of Nuclear Reactor Regulation\nBrian W. Sheron, Director, Office of Nuclear Regulatory Research\nCorenthis B. Kelley, Director, Office of Small Business and Civil Rights\nRoy P. Zimmerman, Director, Office of Nuclear Security and Incident Response\nSamuel J. Collins, Regional Administrator, Region I\nWilliam D. Travers, Regional Administrator, Region II\nJames L. Caldwell, Regional Administrator, Region III\nBruce S. Mallett, Regional Administrator, Region IV\n\x0c                           Independent Evaluation of\n                          NRC\xe2\x80\x99s Implementation of the\n                 Federal Information Security Management Act\n                              for Fiscal Year 2007\n\n\n\n\n                            Contract Number: GS-00F-0001N\n                          Delivery Order Number: DR-36-03-346\n\n                                                 September 25, 2007\n\n\n\n\nThe views, opinions, and findings contained in this report are those of the authors and should not be construed as an official Nuclear Regulatory\n                       Commission position, policy, or decision, unless so designated by other official documentation.\n\x0c[Page intentionally left blank]\n\x0c                                                                                         Independent Evaluation of\n                                                                          NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\nEXECUTIVE SUMMARY\n\n\nBACKGROUND\n\n           On December 17, 2002, the President signed the E-Government Act of 2002, which\n           included the Federal Information Security Management Act (FISMA) of 2002. FISMA\n           outlines the information security management requirements for agencies, which include\n           an annual independent evaluation of an agency\xe2\x80\x99s information security program1 and\n           practices to determine its effectiveness. This evaluation must include testing the\n           effectiveness of information security policies, procedures, and practices for a\n           representative subset of the agency\xe2\x80\x99s information systems. FISMA requires the annual\n           evaluation to be performed by the agency\xe2\x80\x99s Inspector General (IG) or by an independent\n           external auditor.\n\n           Office of Management and Budget (OMB) memorandum M-07-19, FY 2007 Reporting\n           Instructions for the Federal Information Security Management Act and Agency Privacy\n           Management, dated July 25, 2007, requires the agency\xe2\x80\x99s IG to complete the OMB\n           FISMA Reporting Template for IGs (referred to by OMB as Section C). That template,\n           along with any additional narrative the IG believes would provide meaningful insight into\n           the status of the agency\xe2\x80\x99s security or privacy program, is submitted to OMB as part of the\n           agency\xe2\x80\x99s annual FISMA report, and is included as Appendix D to this report.\n\n           This report reflects the status of the agency\xe2\x80\x99s information system security program as of\n           the completion of fieldwork on August 17, 2007. Any information received from the\n           agency subsequent to the completion of fieldwork was incorporated when possible.\n\nPURPOSE\n\n           The objective of this review was to perform an independent evaluation of the Nuclear\n           Regulatory Commission\xe2\x80\x99s (NRC) implementation of FISMA for FY 2007.\n\nRESULTS IN BRIEF\n\n           Program Enhancements and Improvements\n\n           To correct weaknesses identified by the FY 2005 and FY 2006 FISMA independent\n           evaluations by the NRC Office of the Inspector General (OIG), and to address findings\n           from the agency\xe2\x80\x99s own evaluations, the agency has refocused its information system\n           security program. Under the refocused program, the agency proposed performing\n           certification and accreditation of systems that are a high priority from a mission\n           perspective and others that potentially pose a higher security risk (e.g., agency systems\n           that communicate with systems outside the NRC network). The first certification and\n           accreditation schedule under the refocused program was issued in February 2006. This\n           schedule has changed several times since February 2006.\n\n1\n    For the purposes of FISMA, the agency uses the term \xe2\x80\x9cinformation system security program.\xe2\x80\x9d\n\n\n                                                          i\n\x0c                                                                     Independent Evaluation of\n                                                      NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\n\n\nThe agency has accomplished the following since the FY 2006 FISMA independent\nevaluation:\n\n   \xe2\x80\xa2   The agency developed a new certification and accreditation process. The agency\n       has finalized the templates for all certification and accreditation documents as\n       well as instructions for completing the templates. The updated certification and\n       accreditation process was also integrated into the agency\xe2\x80\x99s new project\n       management methodology.\n   \xe2\x80\xa2   As required by FISMA, NRC performed annual testing and evaluation (also\n       referred to as self-assessment) of the security controls for 28 of the agency\xe2\x80\x99s 30\n       operational systems. As the other two agency operational systems were just\n       certified and accredited in FY 2007, the agency did not perform an additional self-\n       assessment of those systems as permitted by OMB and National Institute of\n       Standards and Technology (NIST) guidance.\n   \xe2\x80\xa2   The agency updated security plans for 5 of the agency\xe2\x80\x99s 30 operational systems.\n       Subsequent to the completion of fieldwork, the agency provided an updated\n       security plan for another system.\n   \xe2\x80\xa2   The agency completed the consolidation and reconciliation of data from NRC\n       information systems inventory systems and created a new centralized system for\n       tracking NRC information systems.\n   \xe2\x80\xa2   The agency has developed policies, procedures, and a template for conducting\n       privacy impact assessments (PIA).\n   \xe2\x80\xa2   The agency has made significant progress in implementing the provisions of\n       OMB memorandum M-06-15, Safeguarding Personally Identifiable Information,\n       as well as subsequent memoranda issued by OMB regarding privacy and the\n       protection of personally identifiable information (PII).\n\nSignificant Deficiencies\n\nThe following significant deficiencies were identified in NRC\xe2\x80\x99s information system\nsecurity program. These significant deficiencies were also identified in the FY 2006\nFISMA independent evaluation, and were reported as findings in the FY 2005 FISMA\nindependent evaluation.\n\n   \xe2\x80\xa2   Only 2 of the 30 operational NRC information systems have a current certification\n       and accreditation, and only 4 of the 11 systems used or operated by a contractor or\n       other organization on behalf of the agency have a current certification and\n       accreditation. Subsequent to the completion of fieldwork, the agency completed\n       certification and accreditation of one of the contractor systems for which they\n       have direct oversight, and the system was granted an authorization to operate\n       (ATO). Two additional agency systems have also been certified and are currently\n       under review by the agency\xe2\x80\x99s designated approving authority for consideration of\n       an ATO.\n   \xe2\x80\xa2   Annual contingency plan testing is still not being performed for all systems.\n\n\n                                        ii\n\x0c                                                                          Independent Evaluation of\n                                                           NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\n\n\n     Program Weaknesses\n\n     The independent evaluation also identified 12 information system security program\n     weaknesses. Five are repeat findings from the FY 2005 and FY 2006 FISMA\n     independent evaluations and are identified in the body of the report. The following seven\n     findings are new.\n\n        \xe2\x80\xa2   Security categorizations for some systems do not consistently reflect the\n            information types that reside on the systems.\n        \xe2\x80\xa2   The agency did not follow OMB and NIST guidance when conducting its annual\n            self-assessments.\n        \xe2\x80\xa2   Self-assessments were not always based on approved security categorizations.\n        \xe2\x80\xa2   Self-assessments contained errors and inconsistencies.\n        \xe2\x80\xa2   The agency\xe2\x80\x99s methodology is flawed for identifying which listed systems reside\n            on the NRC network and which do not.\n        \xe2\x80\xa2   The quality of the agency\xe2\x80\x99s plans of action and milestones (POA&Ms) needs\n            improvement.\n        \xe2\x80\xa2   The agency\xe2\x80\x99s certification and accreditation process is inconsistent with NIST\n            guidance.\n\nRECOMMENDATIONS\n\n     This report makes recommendations to the Executive Director for Operations to improve\n     NRC\xe2\x80\x99s information system security program and implementation of FISMA. A\n     consolidated list of recommendations appears on page 45 of this report.\n\nAGENCY COMMENTS\n\n     At an exit conference with the agency held on September 17, 2007, the agency provided\n     informal written comments and generally agreed with the report recommendations. The\n     NRC Chief Information Officer provided a formal response to this report on September\n     24, 2007. Appendix E contains the Chief Information Officer\xe2\x80\x99s transmittal letter. The\n     agency\xe2\x80\x99s formal comments along with OIG\xe2\x80\x99s analysis and response to those comments\n     are included as Appendix F. This final report incorporates revisions made, where\n     appropriate, in response to the agency\xe2\x80\x99s comments.\n\n\n\n\n                                             iii\n\x0c                                            Independent Evaluation of\n                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              iv\n\x0c                                                                        Independent Evaluation of\n                                                         NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\nABBREVIATIONS AND ACRONYMS\n\n\nADAMS               Agencywide Document Access and Management System\nATO                 Authorization to Operate\nBPIAD               Business Process Improvement and Applications Division\nCarson Associates   Richard S. Carson and Associates, Inc.\nCIO                 Chief Information Officer\nCOOP                Network Continuity of Operations\nDISA                Defense Information Systems Agency\nFIPS                Federal Information Processing Standard\nFISMA               Federal Information Security Management Act\nFY                  Fiscal Year\nHSPD                Homeland Security Presidential Directive\nIATO                Interim Authorization to Operate\nIG                  Inspector General\nIRSD                Information and Records Services Division\nISS                 Information System Security\nIT                  Information Technology\nLAN/WAN             Local Area Network/Wide Area Network\nMD                  Management Directive\nNIST                National Institute of Standards and Technology\nNRC                 Nuclear Regulatory Commission\nOIG                 Office of the Inspector General\nOIS                 Office of Information Services\nOMB                 Office of Management and Budget\nPIA                 Privacy Impact Assessment\nPII                 Personally Identifiable Information\nPOA&M               Plan of Action and Milestones\nSP                  Special Publication\nSSN                 Social Security Number\nUS-CERT             United States Computer Emergency Readiness Team\n\n\n\n\n                                           v\n\x0c                                            Independent Evaluation of\n                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              vi\n\x0c                                                                                                           Independent Evaluation of\n                                                                                            NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\nTABLE OF CONTENTS\n\n\nExecutive Summary ....................................................................................................... i\n\n1 Background .............................................................................................................. 1\n2 Purpose .................................................................................................................... 1\n3 Findings.................................................................................................................... 1\n  3.1 FISMA Systems Inventory .............................................................................. 4\n            FINDING A \xe2\x80\x93 Security Categorizations for Some Systems Do Not Consistently Reflect the\n                        Information Types that Reside on the Systems (New Finding) .......................... 6\n            FINDING B \xe2\x80\x93 Majority of NRC Major Applications and General Support Systems Have Not\n                        Been Categorized in Accordance With FIPS 199 (Repeat Finding) ................... 8\n    3.2     Certification and Accreditation, Security Controls Testing, and\n            Contingency Plan Testing .............................................................................. 9\n            3.2.1 Certification and Accreditation....................................................................... 9\n            FINDING C \xe2\x80\x93 The Majority of NRC Systems Are Not Certified and Accredited (Repeat\n                         Significant Deficiency) ....................................................................................... 9\n            3.2.2 Security Control Test and Evaluation .......................................................... 10\n            FINDING D \xe2\x80\x93 The Agency Did Not Follow OMB and NIST Guidance When Conducting Its\n                         Annual Self-Assessments (New Finding) ......................................................... 12\n            FINDING E \xe2\x80\x93 Self-Assessments Were Not Always Based on Approved Security\n                         Categorizations (New Finding) ......................................................................... 14\n            FINDING F \xe2\x80\x93 Self-Assessments Contained Errors and Inconsistencies (New Finding)........... 15\n            3.2.3 Contingency Planning and Testing.............................................................. 16\n            FINDING G \xe2\x80\x93 Annual Contingency Plan Testing Is Still Not Being Performed For All Systems\n                         (Repeat Significant Deficiency) ........................................................................ 17\n    3.3     Evaluation of Agency Oversight of Contractor Systems ........................... 19\n            FINDING H \xe2\x80\x93 Agency Does Not Maintain Documentation That Demonstrates Systems\n                         Provided By Other Federal Agencies Meet FISMA Requirements (Repeat\n                         Finding) ............................................................................................................. 19\n            FINDING I \xe2\x80\x93 Oversight of Other Contractor Systems Is Lacking (Repeat Finding) ................ 20\n    3.4     Evaluation of Quality of Agency System Inventory.................................... 21\n            FINDING J \xe2\x80\x93 Agency Methodology Is Flawed for Identifying Which Listed Systems Reside\n                         On the NRC Network and Which Do Not (New Finding) ................................ 23\n    3.5     Evaluation of Agency POA&M Process....................................................... 23\n            FINDING K \xe2\x80\x93 The Quality of the Agency\xe2\x80\x99s POA&Ms Needs Improvement (New Finding) .. 24\n    3.6     IG Assessment of the Certification and Accreditation Process................ 26\n            FINDING L \xe2\x80\x93 The Agency\xe2\x80\x99s Certification and Accreditation Process Is Inconsistent With\n                        NIST Guidance (New Finding) ......................................................................... 30\n    3.7     IG Assessment of Agency Privacy Program and Privacy Impact\n            Assessment Process .................................................................................... 34\n            3.7.1      Privacy Impact Assessment Process .......................................................... 34\n\n\n\n                                                                      vii\n\x0c                                                                                                           Independent Evaluation of\n                                                                                            NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\n            3.7.2      Progress in Implementing OMB M-06-15 ..................................................... 37\n    3.8 Configuration Management .......................................................................... 39\n    3.9 Incident Reporting......................................................................................... 40\n    3.10 Security Awareness Training ....................................................................... 40\n            FINDING M \xe2\x80\x93 Agency Lacks Procedures for Ensuring Employees With Significant IT\n                        Security Responsibilities Receive Security Training (Repeat Finding) ............ 42\n    3.11 E-Authentication Risk Assessments ........................................................... 42\n            FINDING N \xe2\x80\x93 E-Authentication Risk Assessments Have Not Been Completed (Repeat\n                        Finding) ............................................................................................................. 43\n4 Consolidated List of Recommendations ............................................................. 45\n5 Agency Comments ................................................................................................ 47\n\n\nAppendices\n\n    Appendix A.          SCOPE AND METHODOLOGY.................................................................... 49\n    Appendix B.          STATUS OF CONTINGENCY PLAN TESTING ........................................... 51\n    Appendix C.          DETAILED POA&Ms ANALYSIS ................................................................. 55\n    Appendix D.          FY 2007 OMB FISMA REPORTING TEMPLATE FOR IGs ......................... 57\n    Appendix E.          MEMORANDUM TRANSMITTING AGENCY RESPONSE .......................... 69\n    Appendix F.          FORMAL AGENCY COMMENTS AND DETAILED OIG ANALYSIS OF\n                         AGENCY COMMENTS ................................................................................. 71\n\n\n\nList of Tables\n\n    Table 3-1. Total Number of Agency Systems by FIPS 199 Risk Impact Level................4\n    Table 3-2. Total Number of Contractor Systems by FIPS 199 Risk Impact Level ..........5\n    Table 3-3. Primary Information Type Comparison \xe2\x80\x93 Exhibit 53 and Security\n               Categorization ....................................................................................................7\n    Table 3-3. Number of Systems Certified and Accredited by FIPS 199 Risk Impact\n               Level ....................................................................................................................9\n    Table 3-4. Number of Systems With Tested and Evaluated Security Controls by\n               FIPS 199 Risk Impact Level .............................................................................10\n    Table 3-5. Number of Systems With Tested Contingency Plans by FIPS 199 Risk\n               Impact Level .....................................................................................................16\n    Table B-1. Status of Contingency Plan Testing ..............................................................51\n    Table C-1. Program Level POA&M Statistics...................................................................55\n    Table C-2. System Level POA&Ms Statistics...................................................................55\n    Table C-3. Summary of FY 2007 POA&Ms Through the 3rd Quarter ..............................56\n\n\n\n\n                                                                     viii\n\x0c                                                                                        Independent Evaluation of\n                                                                         NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\n1          Background\n\nOn December 17, 2002, the President signed the E-Government Act of 2002, which included\nFISMA.2 FISMA outlines the information security management requirements for agencies,\nwhich include an annual independent evaluation of an agency\xe2\x80\x99s information security program\nand practices to determine its effectiveness. This evaluation must include testing the\neffectiveness of information security policies, procedures, and practices for a representative\nsubset of the agency\xe2\x80\x99s information systems. FISMA requires the annual evaluation to be\nperformed by the agency\xe2\x80\x99s IG or by an independent external auditor.\n\nOMB memorandum M-07-19 requires the agency\xe2\x80\x99s IG to complete the OMB FISMA Reporting\nTemplate for IGs. That template, along with any additional narrative the IG believes would\nprovide meaningful insight into the status of the agency\xe2\x80\x99s security or privacy program, is\nsubmitted to OMB as part of the agency\xe2\x80\x99s annual FISMA report.\n\nRichard S. Carson and Associates, Inc. (Carson Associates), performed an independent\nevaluation of NRC\xe2\x80\x99s implementation of FISMA for FY 2007. This report presents the results of\nthat independent evaluation. Carson Associates also prepared the OMB FISMA Reporting\nTemplate for IGs, along with additional narrative, for inclusion in the agency\xe2\x80\x99s annual FISMA\nreport. The OMB FISMA Reporting Template for IGs and the additional narrative is included as\nAppendix D to this report.\n\nThis report reflects the status of the agency\xe2\x80\x99s information system security program as of the\ncompletion of fieldwork on August 17, 2007. Any information received from the agency\nsubsequent to the completion of fieldwork was incorporated when possible.\n\n2          Purpose\n\nThe objective of this review was to perform an independent evaluation of NRC\xe2\x80\x99s implementation\nof FISMA for FY 2007. Appendix A contains a description of the evaluation scope and\nmethodology.\n\n3          Findings\n\nOver the past 5 years, NRC has made improvements to its information system security program,\nand continues to make progress in implementing the recommendations resulting from previous\nFISMA evaluations. To correct weaknesses identified by the FY 2005 and FY 2006 FISMA\nindependent evaluations by the OIG, and to address findings from the agency\xe2\x80\x99s own evaluations,\nthe agency has refocused its information system security program. Under the refocused\nprogram, the agency proposed performing certification and accreditation of systems that are a\nhigh priority from a mission perspective and others that potentially pose a higher security risk\n(e.g., agency systems that communicate with systems outside the NRC network). The first\n\n\n2\n    The Federal Information Security Management Act of 2002 was enacted on December 17, 2002, as part of the E-\n    Government Act of 2002 (Public Law 107-347), and replaces the Government Information Security Reform Act,\n    which expired in November 2002.\n\n\n                                                         1\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\ncertification and accreditation schedule under the refocused program was issued in February\n2006. This schedule has changed several times since February 2006.\n\nThe security certification and accreditation of information systems is integral to an agency\xe2\x80\x99s\ninformation security program and is an important activity that supports the risk management\nprocess required by FISMA. Section 3.7 of this report provides an in-depth discussion of the\ncertification and accreditation process and its significance to an agency\xe2\x80\x99s information security\nprogram.\n\nThe first phase of the refocused program also included the development of a new certification\nand accreditation process, which has been finalized. The agency has finalized the templates for\nall certification and accreditation documents as well as instructions for completing the templates.\nThe updated certification and accreditation process was also integrated into the agency\xe2\x80\x99s new\nproject management methodology.\n\nThe agency has also accomplished the following since the FY 2006 FISMA independent\nevaluation:\n\n   \xe2\x80\xa2   As required by FISMA, NRC performed annual testing and evaluation (also referred to as\n       self-assessment) of the security controls for 28 of the agency\xe2\x80\x99s 30 operational systems.\n       As the other two agency operational systems were just certified and accredited in FY\n       2007, the agency did not perform an additional self-assessment of those systems as\n       permitted by OMB and NIST guidance.\n   \xe2\x80\xa2   The agency updated security plans for 5 of the agency\xe2\x80\x99s 30 operational systems.\n       Subsequent to the completion of fieldwork, the agency provided an updated security plan\n       for another system.\n   \xe2\x80\xa2   The agency completed the consolidation and reconciliation of data from NRC\n       information systems inventory systems and created a new centralized system for tracking\n       NRC information systems.\n   \xe2\x80\xa2   The agency has developed policies, procedures, and a template for conducting PIAs.\n   \xe2\x80\xa2   The agency has made significant progress in implementing the provisions of OMB\n       memorandum M-06-15, as well as subsequent memoranda issued by OMB regarding\n       privacy and the protection of PII.\n\nHowever, even with the new certification and accreditation process, the refocused information\nsystem security program, and the award of a multi-year, multi-million dollar contract to provide\nthe agency with consolidated information system security services, the agency has completed\ncertification and accreditation of only two agency systems and one contractor system for which\nthe agency has direct oversight in the past 2 years. In the meantime, the certifications and\naccreditations for all of the agency\xe2\x80\x99s remaining 28 operational systems have expired.\n\nThe following significant deficiencies were identified in NRC\xe2\x80\x99s information system security\nprogram. These significant deficiencies were also identified in the FY 2006 FISMA independent\nevaluation, and were reported as findings in the FY 2005 FISMA independent evaluation.\n\n\n\n\n                                                 2\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\n   \xe2\x80\xa2   Only 2 of the 30 operational NRC information systems have a current certification and\n       accreditation, and only 4 of the 11 systems used or operated by a contractor or other\n       organization on behalf of the agency have a current certification and accreditation.\n       Subsequent to the completion of fieldwork, the agency completed certification and\n       accreditation of one of the contractor systems for which they have direct oversight, and\n       the system was granted an ATO. Two additional agency systems have also been certified\n       and are currently under review by the agency\xe2\x80\x99s designated approving authority for\n       consideration of an ATO.\n   \xe2\x80\xa2   Annual contingency plan testing is still not being performed for all systems.\n\nThe independent evaluation also identified 12 information system security program weaknesses.\nFive are repeat findings from the FY 2005 and FY 2006 FISMA independent evaluations, and\nseven are new.\n\n   \xe2\x80\xa2   Security categorizations for some systems do not consistently reflect the information\n       types that reside on the systems (new finding).\n   \xe2\x80\xa2   The majority of NRC major applications and general support systems have not been\n       categorized in accordance with Federal Information Processing Standards (FIPS)\n       Publication 199, Standards for Security Categorization of Federal Information and\n       Information Systems (repeat finding).\n   \xe2\x80\xa2   The agency did not follow OMB and NIST guidance when conducting its annual self-\n       assessments (new finding).\n   \xe2\x80\xa2   Self-assessments were not always based on approved security categorizations (new\n       finding).\n   \xe2\x80\xa2   Self-assessments contained errors and inconsistencies (new finding).\n   \xe2\x80\xa2   The agency does not maintain documentation that demonstrates systems provided by\n       other Federal agencies meet FISMA requirements (repeat finding).\n   \xe2\x80\xa2   Oversight of other contractor systems is lacking (repeat finding).\n   \xe2\x80\xa2   The agency\xe2\x80\x99s methodology is flawed for identifying which listed systems reside on the\n       NRC network and which do not (new finding).\n   \xe2\x80\xa2   The quality of the agency\xe2\x80\x99s POA&Ms needs improvement (new finding).\n   \xe2\x80\xa2   The agency\xe2\x80\x99s certification and accreditation process is inconsistent with NIST guidance\n       (new finding).\n   \xe2\x80\xa2   The agency lacks procedures for ensuring employees with significant information\n       technology (IT) security responsibilities receive security training (repeat finding).\n   \xe2\x80\xa2   E-authentication risk assessments have not been completed (repeat finding).\n\nThe following sections present the detailed findings from the independent evaluation. As stated\npreviously, two findings are significant deficiencies, seven findings are new, and five are repeat\nfindings from previous FISMA independent evaluations. The following sections are organized\nbased on the OMB FISMA Reporting Template for IGs, which can be found in Appendix D of\nthis report. Each major section corresponds to a question or set of questions from the template.\nFindings are presented in the sections to which they are relevant.\n\n\n                                                 3\n\x0c                                                                                           Independent Evaluation of\n                                                                            NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\n\n\n3.1       FISMA Systems Inventory\n\nAgency Systems\n\n                                 OMB Requirement                                               OIG Response\n    1. As required in FISMA, the IG shall evaluate a representative subset                 See Table 3-1 below.\n    of systems used or operated by an agency or by a contractor of an\n    agency or other organization on behalf of an agency. Identify the\n    number of agency and contractor information systems, and the number\n    reviewed, by component/bureau and FIPS 199 system impact level\n    (high, moderate, low, or not categorized) (a., b., and c.).\n    1.a. Agency Systems.\n\n          Table 3-1. Total Number of Agency Systems by FIPS 199 Risk Impact Level\n                                FIPS 199 Risk             Total             Number\n                                Impact Level             Number            Reviewed\n                                      High                    4                 0\n                                   Moderate                   11                1\n                                      Low                     0                 0\n                               Not Categorized                15                0\n                                      Total                   30                1\n\nNRC has a total of 303 operational systems that fall under FISMA reporting requirements.4 Of\nthe 30, 17 are general support systems,5 and 13 are major applications.6 As required by FISMA,\nCarson Associates selected a subset of NRC systems for evaluation during the FY 2007 FISMA\nindependent evaluation. However, only one of the three systems that were selected had a current\ncertification and accreditation. While an additional system completed certification and\naccreditation in July 2007, it was after the cutoff date established at the entrance conference, and\nwas therefore not considered for evaluation. As there were no other systems with a current\ncertification and accreditation to consider for evaluation, Carson Associates evaluated only one\nagency system for the FY 2007 FISMA independent evaluation.\n\n\n3\n  The agency reports 31 operational systems. The OIG disagrees with the agency that an OIG system is a major\n  application. It has been categorized as a listed system since it began operations in 2004. This designation is\n  presently under a detailed review. Therefore, the metrics in this report reflect a total of 30 operational systems.\n4\n  NRC also has a number of major applications and general support systems currently in development. For FISMA\n  reporting purposes, only operational systems are considered.\n5\n  A general support system is an interconnected set of information resources under the same direct management\n  control that share common functionality. Typical general support systems are local and wide area networks,\n  servers, and data processing centers.\n6\n  A major application is a computerized information system or application that requires special attention to security\n  because of the risk and magnitude of harm that would result from the loss, misuse, or unauthorized access to or\n  modification of the information in the application.\n\n\n                                                          4\n\x0c                                                                             Independent Evaluation of\n                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\nA current certification and accreditation is needed to perform a system evaluation because it\ncontains a description of the current security controls that are in place or are planned for a\nsystem. This information is found in the system\xe2\x80\x99s security plan, which is a part of a system\xe2\x80\x99s\ncertification and accreditation package. An understanding of whether the security controls that\nare in place are operating as intended, as well as any risk associated with operating the system\nwith the described security controls, is also necessary for performing a system evaluation. This\ninformation is also found in the system\xe2\x80\x99s certification and accreditation package.\n\nContractor Systems\n\n                         OMB Requirement                                      OIG Response\n 1. As required in FISMA, the IG shall evaluate a representative       See Table 3-2 below.\n subset of systems used or operated by an agency or by a\n contractor of an agency or other organization on behalf of an\n agency. Identify the number of agency and contractor information\n systems, and the number reviewed, by component/bureau and\n FIPS 199 system impact level (high, moderate, low, or not\n categorized) (a., b., and c.).\n 1.b. Contractor Systems.\n\n      Table 3-2. Total Number of Contractor Systems by FIPS 199 Risk Impact Level\n                           FIPS 199 Risk        Total          Number\n                           Impact Level        Number         Reviewed\n                               High                 0             0\n                             Moderate               4             0\n                               Low                  1             0\n                         Not Categorized            6             0\n                               Total                11            0\n\nNRC has a total of 11 systems operated by a contractor or other organization on behalf of the\nagency (8 major applications and 3 general support systems). Of the 11, 6 are operated by other\nFederal agencies, 2 are operated by federally funded research and development centers, and 3 are\noperated by private contractors. NRC is responsible for direct oversight for four of these\nsystems. Oversight of the remaining seven systems is the responsibility of the Federal agency\noperating the system. Therefore, the OIGs of those agencies would be responsible for evaluating\nthose systems.\n\nAs required by FISMA, Carson Associates selected a subset of the contractor systems for which\nNRC is responsible for direct oversight for evaluation during the FY 2007 FISMA independent\nevaluation. However, the system selected did not have a current certification and accreditation,\nand none of the other contractor systems for which NRC is responsible for direct oversight had a\ncurrent certification and accreditation. Therefore, Carson Associates did not evaluate any\ncontractor systems for the FY 2007 FISMA independent evaluation.\n\n\n\n                                                5\n\x0c                                                                                            Independent Evaluation of\n                                                                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\nSecurity Categorization \xe2\x80\x93 Background\n\nFIPS 199 requires all Federal agencies to categorize their information systems as low-impact,\nmoderate-impact, or high-impact for the security objectives of confidentiality, integrity, and\navailability. The security categorization of an information system is conducted by first\ncategorizing all information types7 resident on the information system. The security category of\nan information type is established by determining the potential impact (i.e., low, moderate, high)\nfor each security objective (i.e., confidentiality, integrity, availability) associated with the\nparticular information type. For example, an organization managing public information on its\nWeb server determines that there is no potential impact from a loss of confidentiality (i.e.,\nconfidentiality requirements are not applicable), a moderate potential impact from a loss of\nintegrity, and a moderate potential impact from a loss of availability.\n\nThe security categorization of an information system must take into account the security\ncategories of all information types resident on the information system being categorized. For an\ninformation system, the potential impact values assigned to the respective security objectives are\nthe highest values (i.e., high water mark) from among the security categories that have been\ndetermined for each information type resident on the information system.\n\nSince the potential impact values for confidentiality, integrity, and availability may not always\nbe the same for a particular information system, the high water mark concept must be used to\ndetermine the overall impact level of the information system. Thus, a low-impact system is an\ninformation system in which all three of the security objectives are low. A moderate-impact\nsystem is an information system in which at least one of the security objectives is moderate and\nno security objective is greater than moderate. And finally, a high-impact system is an\ninformation system in which at least one security objective is high. Therefore, the information\nsystem used in the above example would be considered a moderate-impact system.\n\nThe determination of information system impact levels must be accomplished prior to the\nconsideration of minimum security requirements and the selection of appropriate security\ncontrols for those information systems.\n\nFINDING A \xe2\x80\x93 Security Categorizations for Some Systems Do Not Consistently Reflect the\nInformation Types that Reside on the Systems (New Finding)\n\nCarson Associates reviewed the security categorizations for 9 agency systems and 3 contractor\nsystems and found that 4 do not consistently reflect the information types that reside on the\nsystems. As a result, the overall impact levels of these information systems may not reflect the\nimpact to the agency should there be a breach of security (i.e., a loss of confidentiality, integrity,\nor availability).\n\n\n\n\n7\n    Information is categorized according to its information type. An information type is a specific category of\n    information (e.g., privacy, medical, proprietary, financial, investigative, contractor sensitive, security\n    management) defined by an organization or, in some instances, by a specific law, Executive order, directive,\n    policy, or regulation.\n\n\n                                                            6\n\x0c                                                                                           Independent Evaluation of\n                                                                            NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\nThe NIST Special Publication (SP) 800-60, Guide for Mapping Types of Information and\nInformation Systems to Security Categories, Volume I, describes the following methodology for\nidentifying information types when conducting a security categorization:\n\n      \xe2\x80\xa2    Identify the fundamental business areas (management and support) or mission areas\n           (mission-based) supported by the system under review.\n      \xe2\x80\xa2    Identify for each business or mission area the areas of operations or lines of business that\n           describe the purpose of the system in functional terms.\n      \xe2\x80\xa2    Identify the sub-functions necessary to carry out each area of operation or line of\n           business.\n      \xe2\x80\xa2    Select the basic information types associated with the identified sub-functions.\n      \xe2\x80\xa2    Where appropriate, identify any information type processed by the system that is required\n           by statute, Executive order, or agency regulation to receive special handling.\n\nTo determine the primary information types that reside on the systems for which security\ncategorizations were reviewed, Carson Associates reviewed the agency\xe2\x80\x99s Exhibit 538 for FY\n2007. Carson Associates found that the security categorizations for four systems did not reflect\nthe primary business area, primary line of business, and/or primary sub-function of those systems\nas indicated on the Exhibit 53. Table 3-3 below shows a comparison of the primary information\ntype indicated on the Exhibit 53 with the information types found in the security categorizations\nfor the four systems.\n\n            Table 3-3. Primary Information Type Comparison \xe2\x80\x93 Exhibit 53 and Security\n                                         Categorization\n                    Primary Information Type\n      System                                              Information Types in Security Categorization\n                          in Exhibit 53\n                    Catastrophic Defense              Disaster Monitoring and Prediction, IT Security,\n     System 1\n                                                      Environmental Monitoring and Forecasting\n                    Catastrophic Defense              Customer Services, Official Information\n                                                      Dissemination, IT Security, Record Retention,\n                                                      Information Management, Disaster Monitoring\n     System 2\n                                                      and Prediction, Disaster Preparedness and\n                                                      Planning, Environmental Monitoring and\n                                                      Forecasting\n                    Information Management            Scientific and Technical Research and Innovation,\n     System 3\n                                                      Research and Development, IT Security\n                    Corrective Action                 Program Evaluation, Program Monitoring, Budget\n                                                      Formulation, Strategic Planning, Management\n     System 4                                         Improvement, Official Information Dissemination,\n                                                      Inspections and Auditing, Standards\n                                                      Setting/Reporting Guideline Development\n\n8\n    The Exhibit 53 is used by agencies to report their IT investment portfolio annually to OMB. The Exhibit 53\n    provides budget estimates for all IT investments and identifies those that are major investments.\n\n\n                                                           7\n\x0c                                                                                Independent Evaluation of\n                                                                 NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\n\n\nIf the security categorizations do not reflect the information types that reside on the systems, the\noverall impact levels of these information systems may not reflect the impact to the agency\nshould there be a breach of security (i.e., a loss of confidentiality, integrity, or availability).\n\nRECOMMENDATION\n\n   The Office of the Inspector General recommends that the Executive Director for Operations:\n\n   1. Review and correct as needed all security categorizations so that they consistently reflect\n      the information types that reside on the systems.\n\nFINDING B \xe2\x80\x93 Majority of NRC Major Applications and General Support Systems Have Not\nBeen Categorized in Accordance With FIPS 199 (Repeat Finding)\n\nThis is a repeat finding from the FY 2005 and FY 2006 FISMA independent evaluations. As\nstated previously, FIPS 199 requires all Federal agencies to categorize their information systems.\nHowever, despite this requirement, the majority of NRC major applications and general support\nsystems still have not been categorized in accordance with FIPS 199. Specifically, only 15 of the\n30 operational NRC information systems have been categorized. Only 5 of the 11 contractor\nsystems have been categorized.\n\nIn FY 2007, the agency completed only three additional security categorizations for NRC\nsystems, updated the security categorization for another system, and completed four additional\nsecurity categorizations for contractor systems. According to the agency, the target date for\ncompleting all system security categorizations was August 15, 2007. This target date was not\nmet.\n\nWithout security categorizations for all agency and contractor systems, the agency cannot\neffectively determine minimum security requirements and select appropriate security controls for\ntheir information systems as defined in NIST SP 800-53 Revision 1, Recommended Security\nControls for Federal Information Systems. In addition, the agency cannot be assured it is using\nthe correct minimum security control baseline from NIST SP 800-53 when performing its annual\nsecurity control testing and review. The security categorization is also needed to effectively\nimplement several Federal and OMB initiatives.\n\nRECOMMENDATION\n\n   The Office of the Inspector General recommends that the Executive Director for Operations:\n\n   2. Categorize all NRC major applications and general support systems in accordance with\n      FIPS 199. This recommendation replaces recommendation #1 from OIG-05-A-21,\n      Independent Evaluation of NRC\xe2\x80\x99s Implementation of FISMA for Fiscal Year 2005.\n\n\n\n\n                                                  8\n\x0c                                                                             Independent Evaluation of\n                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\n3.2    Certification and Accreditation, Security Controls Testing, and Contingency\n       Plan Testing\n\n3.2.1 Certification and Accreditation\n\n                            OMB Requirement                                      OIG Response\n 2. For the total number of systems reviewed by component/bureau and          See Table 3-3 below\n FIPS system impact level for Question 1, identify the number and             (NOTE: the metrics\n percentage of systems which have: a current certification and                represent the status\n accreditation, security controls tested and reviewed within the past         for all NRC systems,\n year, and a contingency plan tested in accordance with policy.               not just the subset\n 2.a. Number of systems certified and accredited.                             that was chosen for\n                                                                              evaluation in FY\n                                                                              2007).\n\n Table 3-3. Number of Systems Certified and Accredited by FIPS 199 Risk Impact Level\n                   FIPS 199 Risk\n                                        Agency        Contractor        Total\n                   Impact Level\n                        High               1              0               1\n                     Moderate              1              4               5\n                        Low                0              1               1\n                  Not Categorized          0              0               0\n                       Total               2              5               7\n\nThis section reports on the number of agency and contractor systems with a current certification\nand accreditation. Section 3.7 of this report discusses the assessment of the agency\xe2\x80\x99s\ncertification and accreditation process in detail.\n\nFINDING C \xe2\x80\x93 The Majority of NRC Systems Are Not Certified and Accredited (Repeat\nSignificant Deficiency)\n\nAs in FY 2005 and FY 2006, Carson Associates found that the majority of NRC systems are not\ncertified and accredited. Only 2 of the 30 operational NRC information systems have a current\ncertification and accreditation. Of the 11 systems operated by a contractor or other organization\non behalf of the agency, only 4 have a current certification and accreditation. These four systems\nare operated by other Federal agencies. Of the remaining seven, two are operated by other\nFederal agencies, two are operated by federally funded research and development centers, and\nthree are operated by private contractors. Subsequent to the completion of fieldwork, the agency\ncompleted certification and accreditation of one of the contractor systems for which they have\ndirect oversight, and the system was granted an ATO. Two additional agency systems have also\nbeen certified and are currently under review by the agency\xe2\x80\x99s designated approving authority for\nconsideration of an ATO.\n\n\n\n\n                                                 9\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\nOMB defines a significant deficiency as \xe2\x80\x9ca weakness in an agency\xe2\x80\x99s overall information systems\nsecurity program or management control structure, or within one or more information systems\nthat significantly restricts the capability of the agency to carry out its mission or compromises\nthe security of its information, information systems, personnel, or other resources, operations, or\nassets.\xe2\x80\x9d OMB Circular A-130, Management of Federal Resources, Appendix III, Security of\nFederal Automated Information Resources, provides three specific examples of a significant\ndeficiency, each of which must be reported as such \xe2\x80\x93 (1) the failure to assign responsibility for\nsecurity of the system or application, (2) the lack of a system security plan, and (3) the absence\nof authorization to process (certification and accreditation).\n\nIn accordance with OMB requirements, it constitutes a significant deficiency that only 2 of the\n30 operational NRC information systems have a current certification and accreditation and only\n5 of the 11 systems used or operated by a contractor or other organization on behalf of the\nagency have a current certification and accreditation. This deficiency is not a recent problem.\nThe agency has made little progress in correcting the deficiency. The agency has completed\ncertification and accreditation of only two agency major applications and one contractor system\nfor which the agency has direct oversight in the past 2 years. According to the agency,\ncertification and accreditation of all agency systems is not expected to be completed until the end\nof FY 2009.\n\n3.2.2 Security Control Test and Evaluation\n\n                            OMB Requirement                                       OIG Response\n 2. For the total number of systems reviewed by component/bureau and           See Table 3-4 below.\n FIPS system impact level for Question 1, identify the number and\n percentage of systems which have: a current certification and\n accreditation, security controls tested and reviewed within the past\n year, and a contingency plan tested in accordance with policy.\n 2.b. Number of systems for which security controls have been tested\n and reviewed in the past year.\n\nTable 3-4. Number of Systems With Tested and Evaluated Security Controls by FIPS 199\n                                 Risk Impact Level\n                   FIPS 199 Risk\n                                         Agency       Contractor         Total\n                   Impact Level\n                        High                4              0               4\n                      Moderate             11              2              13\n                        Low                 0              1               1\n                  Not Categorized          15              3              18\n                        Total              30              6              36\n\n\n\n\n                                                10\n\x0c                                                                                          Independent Evaluation of\n                                                                           NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\nFISMA requires that the management, operational, and technical controls9 in agency systems be\ntested with a frequency depending on risk, but not less than annually. NRC meets this\nrequirement by performing annual self-assessments of the security controls of all agency and\ncontractor systems. The purpose of the self-assessment is to assess the security controls in an\ninformation system to determine the extent to which the controls are implemented correctly,\noperating as intended, and producing the desired outcome with respect to meeting the security\nrequirements for the system.\n\nNRC performed self-assessments of the security controls for 28 of the agency\xe2\x80\x99s 30 operational\nsystems. The agency chose not to perform a self-assessment of the OIG system discussed\nearlier, as that system\xe2\x80\x99s status as a major application is still under determination. As the other\ntwo agency operational systems were just certified and accredited in FY 2007, the agency did not\nperform an additional self-assessment of those systems as permitted by OMB and NIST\nguidance. The agency also included the physical and environmental controls of the four NRC\nregional offices and the NRC Technical Training Center in one self-assessment.\n\nNRC is required to perform self-assessments only on those contractor systems for which it has\ndirect oversight. Self-assessments for the remaining contractor systems are the responsibility of\nthe Federal agencies that operate those systems. NRC performed a self-assessment of one of the\nfour contractor systems for which it has direct oversight. As two of the four contractor systems\nfor which NRC has direct oversight are considered to be sub-components of the NRC\nLAN/WAN, only the physical and environmental controls and the personnel security controls\nwere evaluated for these systems. The results were incorporated into the self-assessment for one\nof the agency\xe2\x80\x99s general support systems. The fourth contactor system for which the agency has\ndirect oversight was expected to be certified and accredited in FY 2007, so the agency did not\nconduct a separate self-assessment for this system. However, the certification and accreditation\nwas not expected to be completed prior to the submission of this report, so it was not originally\nincluded in the total number of contractor systems for which security controls have been tested\nand evaluated in the past year. Subsequent to the completion of fieldwork, the agency completed\ncertification and accreditation of this system, and the system was granted an ATO.\n\nFor the seven contractor systems that are operated by other Federal agencies, NRC\xe2\x80\x99s policy is to\nconfirm with the owner agencies that annual security control testing and evaluation has been\ncompleted. As two of the Federal contractor systems were just certified and accredited in FY\n2007, these two systems were included in the total number of contractor systems for which\nsecurity controls have been tested and evaluated. The agency has not obtained confirmation\nfrom the owner agencies of the other five contractor systems operated by other Federal agencies\nthat annual security control testing and evaluation has been completed. Subsequent to the\ncompletion of fieldwork, the agency provided a certification memorandum for one of the Federal\ncontractor systems that indicates security control testing and evaluation for the system was\ncompleted in FY 2007. However, the agency could not demonstrate that this system has been\n\n9\n    Management controls are the safeguards or countermeasures that focus on the management of risk and the\n    management of information system security. Operational controls are the safeguards or countermeasures that\n    primarily are implemented and executed by people (as opposed to systems). Technical controls are the safeguards\n    or countermeasures that are primarily implemented and executed by the information system through mechanisms\n    contained in the hardware, software, or firmware components of the system.\n\n\n                                                          11\n\x0c                                                                               Independent Evaluation of\n                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\naccredited (and therefore, that the designated approving authority for that system approved the\ntesting and evaluation). Therefore, it was not included in the total number of contractor systems\nfor which security controls have been tested and evaluated in the past year. As discussed later in\nSection 3.3 of this report, the FY 2005 and FY 2006 FISMA independent evaluation found that\nthe agency does not maintain documentation that demonstrates that systems provided by other\nFederal agencies meet FISMA requirements.\n\nThe agency provided the majority of the self-assessments after the cutoff date established at the\nentrance conference, giving us only enough time to perform a cursory review. However, even a\ncursory review found that (1) the agency did not follow OMB and NIST guidance for conducting\nits annual security control assessments, (2) self-assessments were not always based on approved\nsecurity categorizations, and (3) self-assessments contained errors and inconsistencies.\n\nSecurity Control Test and Evaluation \xe2\x80\x93 Background\n\nFISMA (section 3544(b)(5)) requires each agency to perform for all systems (including those\noperated by a contractor or other organization on behalf of an agency) \xe2\x80\x9cperiodic testing and\nevaluation of the effectiveness of information security policies, procedures, and practices, to be\nperformed with a frequency depending on risk, but not less than annually.\xe2\x80\x9d This review shall\ninclude the testing of management, operational, and technical controls, and is also referred to as a\nself-assessment.\n\nThe FY 2006 FISMA guidance stated that for FY 2007 and beyond, agencies will be required to\nuse FIPS 200, Minimum Security Requirements for Federal Information and Information\nSystems, and NIST SP 800-53 for the specification of security controls, and NIST SP 800-53A,\nGuide for Assessing the Security Controls in Federal Information Systems, for the annual\nassessment of security control effectiveness. After FY 2006, NIST SP 800-26, Security Self-\nAssessment Guide for Information Technology Systems, is not to be used for the specification\nand/or assessment of security controls. This requirement was reiterated in the FY 2007 FISMA\nguidance, issued July 25, 2007.\n\nIn February 2007 (updated in May 2007), NIST issued a memorandum for the record stating that\nafter the final release of NIST SP 800-53A in FY 2007 (tentatively scheduled for December\n2007), NIST plans to rescind NIST SP 800-26. The memorandum also reiterated OMB\xe2\x80\x99s\nstatement that for FY 2007 and beyond, agencies will be required to use NIST SP 800-53A for\nthe assessment of security control effectiveness. Attached to the memorandum is a security\ncontrols assessment form, which replaces the form contained in NIST SP 800-26, and provides a\nstandard methodology for capturing the results of system-level security control assessments. The\nform will be incorporated into the final release of NIST SP 800-53A. The memorandum stated\nthat agencies may use the attached form to support security controls assessment requirements for\nFY 2007. The third public draft of NIST SP 800-53A was issued June 4, 2007.\n\nFINDING D \xe2\x80\x93 The Agency Did Not Follow OMB and NIST Guidance When Conducting Its\nAnnual Self-Assessments (New Finding)\n\nDespite the requirement to use NIST SP 800-53A for the annual assessment of security control\neffectiveness, the agency conducted the FY 2007 self-assessments by using the approach of\n\n\n                                                 12\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\nmeasuring progress by levels of effectiveness, as described in NIST SP 800-26. The agency also\nchose to use the self-assessment report format from NIST SP 800-26. The agency\xe2\x80\x99s\nmethodology did not include all testing methods required by NIST SP 800-53A. As a result, the\nagency cannot be certain that all controls are operating as intended.\n\nThe agency\xe2\x80\x99s self-assessment methodology included the following activities:\n\n   \xe2\x80\xa2   Sending a brief questionnaire to system owners to validate the system identification\n       information and to request documents needed to support the self-assessment process.\n   \xe2\x80\xa2   Reviewing existing documentation.\n   \xe2\x80\xa2   If needed, sending additional questions to system owners.\n   \xe2\x80\xa2   Interviewing system owners (some self-assessments were conducted without interviewing\n       system owners).\n\nThe agency\xe2\x80\x99s security control assessment methodology is hierarchical and is based on the\nmethodology described in NIST SP 800-26. The NIST SP 800-26 methodology comprises five\nlevels to guide agency assessments. Level 1 indicates that there are policies in place for the\nsecurity controls. Level 2 indicates that there are documented procedures for implementing the\npolicies and the security controls. Level 3 indicates that the procedures and the security controls\nhave been implemented. Level 4 indicates that procedures and controls are tested and reviewed.\nFinally, Level 5 indicates that procedures and controls are fully integrated into a comprehensive\ninformation system security program. Using the agency\xe2\x80\x99s methodology, if a control did not meet\nthe requirements of a particular level, then the testing and evaluation of that control ended. For\nexample, if a control had policies, but no procedures, then the implementation of that control\nwas, in most cases, never evaluated, even if the control was actually implemented.\n\nThe security control assessment methodology described in NIST SP 800-53A is not hierarchical.\nNIST SP 800-53A describes three methods for assessing security controls: examine, interview,\nand test. These assessment methods are used to determine whether a particular security control\nis operating as intended (i.e., is the control implemented correctly, being used as intended, and\nproducing the intended outcome with respect to meeting the security requirements for the\ninformation system). Control effectiveness is measured as satisfied, partially satisfied, or not\nsatisfied. Satisfied indicates that the portion(s) of the security control being addressed by the\nprocedural statement are operating as intended. Partially satisfied indicates that some portion(s)\nof the security control being addressed by the procedural statement are operating as intended, but\nother portions are not. Not satisfied indicates that the portion(s) of the security control being\naddressed by the procedural statement are not operating as intended. Using this methodology, a\ncontrol without policies and/or procedures could still be found to be partially satisfied if the\ncontrol was actually implemented as intended.\n\nNIST SP 800-53A includes an assessment procedure catalog that specifies which assessment\nmethods should be used to evaluate a particular security control. All assessment methods\nspecified for a control in the assessment catalog are expected to be completed. For example, for\nthe physical and environmental control PE-3 ( physical access control), NIST SP 800-53A\n\n\n\n                                                13\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\nspecifies that for a moderate-impact system, all three assessment methods \xe2\x80\x93 examine, interview,\nand test \xe2\x80\x93 should be used to test this control.\n\nThe agency\xe2\x80\x99s methodology included two of the assessment methods described in NIST SP 800-\n53A \xe2\x80\x93 examine and interview. However, due to the hierarchical nature of its process, not all of\nthe assessment methods specified in the NIST SP 800-53A assessment catalog were performed\nfor each control. Continuing with the PE-3 control example, the agency did not perform the test\nassessment method specified by NIST SP 800-53A for this control for the agency\xe2\x80\x99s remote\nlocations. The agency stated that the physical and environmental controls for these locations had\nonly policies in place (Level 1). Therefore, site visits were not necessary as they would be\nneeded only to test the implementation (Level 3) of the control. Because the implementation of\nthese controls was never tested, it is not possible to determine if the Level 1 effectiveness means\nthere are no procedures and the control is not implemented, or if the control is implemented, but\nbecause there were no procedures, its implementation was never tested. As a result of the\nincomplete testing, the agency cannot be certain that all controls are operating as intended.\n\nRECOMMENDATION\n\n   The Office of the Inspector General recommends that the Executive Director for Operations:\n\n   3. Conduct annual self-assessments in accordance with current OMB and NIST guidance.\n\nFINDING E \xe2\x80\x93 Self-Assessments Were Not Always Based on Approved Security\nCategorizations (New Finding)\n\nCarson Associates also found that self-assessments for 15 of the agency\xe2\x80\x99s 30 operational\nsystems, and for 3 contractor systems were not based on an approved security categorization. As\nstated previously in Section 3.1 of this report, security categorizations are necessary to (1)\ndetermine the appropriate set of minimum security controls to implement for a system, and (2)\nidentify the correct minimum security control baseline from NIST SP 800-53 to use when\nperforming annual security control testing and review.\n\nIn some cases, we found that the impact levels for confidentiality, integrity, and availability\nnoted on these self-assessments differed from the impact levels on the FY 2006 self-assessments,\nyet there is no explanation for the differences. For example, one system was evaluated against\nthe low-impact security control baseline in FY 2007, but was evaluated against the moderate-\nimpact security control baseline in FY 2006. Another system was evaluated against the high-\nimpact security control baseline in FY 2006, but was evaluated against the moderate-impact\nsecurity control baseline in FY 2007. Self-assessments that are not based on an approved\nsecurity categorization may not be evaluating the appropriate set of controls. As a result, the\nagency cannot be certain that all controls are operating as intended.\n\n\n\n\n                                                14\n\x0c                                                                               Independent Evaluation of\n                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\nRECOMMENDATION\n\n   The Office of the Inspector General recommends that the Executive Director for Operations:\n\n   4. For self-assessments conducted on systems without an approved security categorization,\n      include an explanation as to how the impact levels for confidentiality, integrity, and\n      availability were determined. This explanation should also include a discussion of any\n      changes to the impact levels (if any) from the previous year\xe2\x80\x99s self-assessment.\n\nFINDING F \xe2\x80\x93 Self-Assessments Contained Errors and Inconsistencies (New Finding)\n\nCarson Associates also found the following errors and inconsistencies in the FY 2007 self-\nassessments:\n\n   \xe2\x80\xa2   The blank self-assessment (template) for the moderate-impact baseline and all moderate-\n       impact self-assessments are missing control identification and authentication control IA-\n       2, enhancement 1.\n   \xe2\x80\xa2   The blank self-assessment (template) for the high-impact baseline and all high-impact\n       self-assessments include system and information integrity control SI-4, enhancement 1.\n       This control is not part of the high-impact baseline.\n   \xe2\x80\xa2   The self-assessment for one system with an approved security categorization has risk\n       assessment control RA-2 (security categorization) incorrectly marked at Level 2\n       (procedures) when it should be marked at Level 3 (implemented).\n   \xe2\x80\xa2   The self-assessments for six systems without approved security categorizations have\n       control RA-2 incorrectly marked at Level 3 (implemented) when it should be marked at\n       Level 2 (procedures).\n   \xe2\x80\xa2   The self-assessment for one system with a POA&M has certification, accreditation, and\n       security assessments control CA-5 (POA&M) incorrectly marked at Level 2\n       (procedures), when it should be marked at Level 3 (implemented).\n   \xe2\x80\xa2   The section of the self-assessment that lists connected systems is inaccurate or\n       incomplete for several systems.\n\nAs a result of the errors and inconsistencies, the agency cannot be certain that all controls are\noperating as intended, and cannot be certain that the self-assessments reflect the actual security\nstatus of the systems.\n\nRECOMMENDATION\n\n   The Office of the Inspector General recommends that the Executive Director for Operations:\n\n   5. Develop and implement quality assurance procedures for self-assessments.\n\n\n\n\n                                                 15\n\x0c                                                                                               Independent Evaluation of\n                                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\n3.2.3 Contingency Planning and Testing\n\n                                     OMB Requirement                                                OIG Response\n 2. For the total number of systems reviewed by component/bureau and                             See Table 3-5 below.\n FIPS system impact level for Question 1, identify the number and\n percentage of systems which have: a current certification and\n accreditation, security controls tested and reviewed within the past\n year, and a contingency plan tested in accordance with policy.\n 2.c. Number of systems for which contingency plans have been tested\n in accordance with policy.\n\n Table 3-5. Number of Systems With Tested Contingency Plans by FIPS 199 Risk Impact\n                                      Level10\n                           FIPS 199 Risk\n                                                    Agency           Contractor            Total\n                           Impact Level\n                                High                    0                 0                  0\n                             Moderate                   5                 2                  7\n                                Low                     0                 0                  0\n                         Not Categorized                0                 0                  0\n                                Total                   5                 2                  7\n\nNIST SP 800-34, Contingency Planning Guide for Information Technology Systems, states that\ncontingency plans should be tested at least annually and when significant changes are made to\nthe information system, supported business process(s), or the contingency plan. Management\nDirective (MD) and Handbook 12.5, NRC Automated Information Security Program, states that\nthe NRC shall comply with the NIST guidance to include guidance related to the preparation of\nsecurity documentation (such as system security plans, IT risk assessments, and IT contingency\nplans), and other applicable NIST automated information security guidance for IT security\nprocesses, procedures, and testing. MD 12.5 also states that IT contingency plans for major\napplications and general support systems shall be tested each year. A live test provides the best\nindication of the adequacy of a contingency plan test. If a live test cannot be conducted due to\noperational constraints, a simulated test may be conducted in lieu of the live test. Information\nSystem Security (ISS) Security Procedure ISS-00-001, Revision 0, Annual Update of System\nSecurity Documentation for Automated Information Systems, dated March 1, 2006, also requires\nannual contingency plan testing for all major applications and general support systems, including\nthe generation of a contingency plan test report.\n\n\n\n\n10\n      Any testing performed between October 1, 2006, and the completion of fieldwork, would be considered as FY\n     2007 test results. The testing itself must have occurred in that time frame. If the testing occurred prior to October\n     1, 2006, but the report was not submitted to/approved by the agency until after October 1, 2006, it would still be\n     considered an FY 2006 test, and not an FY 2007 test. Only testing that is supported by a submitted and approved\n     report will be counted.\n\n\n                                                             16\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\nFINDING G \xe2\x80\x93 Annual Contingency Plan Testing Is Still Not Being Performed For All\nSystems (Repeat Significant Deficiency)\n\nThis is a repeat finding from the FY 2005 and FY 2006 FISMA independent evaluations.\nDespite the requirement that contingency plans should be tested at least annually, only 5 of the\nagency\xe2\x80\x99s 30 operational information systems, and 1 of the agency\xe2\x80\x99s contractor systems, had its\ncontingency plan tested in FY 2007. Subsequent to the completion of fieldwork, the agency\nprovided documentation demonstrating that contingency plan testing was conducted for another\ncontractor system; however, the agency has not yet received the test results report.\n\nAs a result, the agency has limited assurance that it will be able to recover mission-critical\napplications, business processes, and information in the event of an unexpected interruption.\nEven a minor interruption could result in lost or incorrectly processed data if the contingency\nplan has not been tested.\n\nIn FY 2005, a recommendation was made to develop and implement procedures to ensure\ncontingency plans are tested annually, regardless of the status of a system\xe2\x80\x99s certification and\naccreditation. At the end of October 2006, the agency reported to the Commission that the\nOffice of Information Services (OIS) would provide support to system owners (1) to complete\nthe requirement to update their system\xe2\x80\x99s contingency plan, (2) to perform a contingency test in\naccordance with the contingency plan, and (3) to report on the results of the contingency test by\nJune 1, 2007. However, in a November 2006, status update the agency stated that resources have\nnot been available to support completion of annual contingency plan testing (including test\nreporting and contingency plan update) and that the target date for completing contingency plan\ntesting for all agency systems was August 1, 2007. This target date was not met, despite the\naward of a consolidated information system security services contract in July 2006, which\nincludes supporting the offices in completion of contingency plan updates and testing. The 3rd\nQuarter FY 2007 POA&M submitted to OMB has projected completion dates for contingency\nplan testing as late as the 4th Quarter FY 2009.\n\nThe following is a summary of the status of contingency plan testing for the 25 operational NRC\nsystems that have not completed contingency plan testing in FY 2007:\n\n   \xe2\x80\xa2   Five systems have never had their contingency plans tested.\n   \xe2\x80\xa2   Two systems have never had their contingency plans tested, as they are new general\n       support systems identified when the NRC local area network/wide area network\n       (LAN/WAN) was divided into several general support systems. There is insufficient\n       documentation to determine whether these systems were covered by previous LAN/WAN\n       contingency plan tests.\n   \xe2\x80\xa2   One system has not had its contingency plan tested in over 4 years.\n   \xe2\x80\xa2   Thirteen systems have not had their contingency plans tested in over 3 years. Many of\n       these systems are general support systems that were identified when the LAN/WAN was\n       divided into several general support systems. There is insufficient documentation to\n       determine whether these systems were fully covered by previous LAN/WAN contingency\n       plan tests.\n\n\n\n                                                17\n\x0c                                                                               Independent Evaluation of\n                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\n   \xe2\x80\xa2   Two systems had their contingency plans tested in 2005.\n   \xe2\x80\xa2   Two systems had their contingency plans tested in 2006; however, the agency never\n       approved the results for one of those systems.\n\nThe following is a summary of the status of contingency plan testing for the nine contractor\nsystems that have not completed contingency plan testing in FY 2007:\n\n   \xe2\x80\xa2   Five systems are operated by other Federal agencies. NRC is responsible only for\n       confirming with the owner agency that annual contingency plan testing has been\n       completed.\n   \xe2\x80\xa2   Three systems have never had their contingency plans tested. While these are contractor\n       systems, NRC is responsible for ensuring they have tested contingency plans.\n   \xe2\x80\xa2   One system had its contingency plan tested in FY 2006.\n\nSee Appendix B of this report for details on the status of contingency plan testing for all agency\nand contractor operational systems.\n\nAs stated previously, OMB defines a significant deficiency as \xe2\x80\x9ca weakness in an agency\xe2\x80\x99s\noverall information systems security program or management control structure, or within one or\nmore information systems that significantly restricts the capability of the agency to carry out its\nmission or compromises the security of its information, information systems, personnel, or other\nresources, operations, or assets.\xe2\x80\x9d\n\nFISMA defines eight primary components of an agency\xe2\x80\x99s information system security program,\nincluding (1) annual testing of management, operational, and technical controls of every\ninformation system identified in the agency\xe2\x80\x99s inventory, and (2) plans and procedures to ensure\ncontinuity of operations for information systems that support the operations and assets of the\nagency.\n\nThe testing of contingency plans is a key element of the two information system security\nprogram components described above. It is essential for determining whether plans will function\nas intended in an emergency situation. Without testing, the agency has limited assurance that it\nwill be able to recover mission-critical applications, business processes, and information in the\nevent of an unexpected interruption. Even a minor interruption could result in lost or incorrectly\nprocessed data if the contingency plan has not been tested.\n\nIn accordance with OMB requirements, the fact that the agency has failed to conduct annual\ncontingency plan testing for all systems for the past 3 years constitutes a significant deficiency.\nThis deficiency is not a recent problem and the agency has made little progress in correcting the\ndeficiency. According to the agency, completion of all contingency plan testing is not\nanticipated for at least another 2 years.\n\n\n\n\n                                                 18\n\x0c                                                                                             Independent Evaluation of\n                                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\nRECOMMENDATION\n\n       The Office of the Inspector General recommends that the Executive Director for Operations:\n\n       6. Develop and implement procedures to ensure contingency plans are tested annually,\n          regardless of the status of the systems\xe2\x80\x99 certification and accreditation. This\n          recommendation replaces recommendation #3 from OIG-05-A-21, Independent\n          Evaluation of NRC\xe2\x80\x99s Implementation of FISMA for Fiscal Year 2005.\n\n3.3         Evaluation of Agency Oversight of Contractor Systems\n\n                                     OMB Requirement                                              OIG Response\n 3.a. The agency performs oversight and evaluation to ensure                                  Mostly (81-95% of\n information systems used or operated by a contractor of the agency or                        the time)\n other organization on behalf of the agency meet the requirements of\n FISMA, OMB policy and NIST guidelines, national security policy, and\n agency policy.\n\nFISMA requires agencies to provide information security protections commensurate with the risk\nand magnitude of harm resulting from unauthorized access, use, disclosure, disruption,\nmodification, or destruction of (1) information collected or maintained by or on behalf of the\nagency and (2) information systems used or operated by an agency or other organization on\nbehalf of an agency.11\n\nNRC has a total of 11 systems operated by a contractor or other organization on behalf of the\nagency (8 major applications and 3 general support systems). Of the 11, 6 are operated by other\nFederal agencies, 2 are operated by federally funded research and development centers, and 3 are\noperated by contractors supporting the agency. NRC is responsible for direct oversight for four\nof these systems. Oversight of the remaining seven systems is the responsibility of the Federal\nagency operating the system.\n\nFINDING H \xe2\x80\x93 Agency Does Not Maintain Documentation That Demonstrates Systems\nProvided By Other Federal Agencies Meet FISMA Requirements (Repeat Finding)\n\nAs in FY 2005 and FY 2006, Carson Associates found that the agency is still not maintaining\ndocumentation that demonstrates systems provided by other Federal agencies meet FISMA\nrequirements. As a result, the agency cannot be certain that the information security protections\nin place for these systems are commensurate with the risk and magnitude of harm resulting from\nunauthorized access, use, disclosure, disruption, modification, or destruction of the information\nsystems.\n\nThe agency has been working with the offices to assist in acquiring the required documentation\nfor systems provided by other Federal agencies. However, according to the agency, some of the\n\n11\n      Information systems used or operated by a contractor of an agency or other organization on behalf of the agency\n     refers to information systems that the agency considers to be either major applications or general support systems.\n\n\n                                                             19\n\x0c                                                                               Independent Evaluation of\n                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\nother Federal agencies have been unwilling to provide documentation that demonstrates they\nmeet FISMA requirements. The other Federal agencies have also been unwilling to share copies\nof their annual self-assessments or results from their annual contingency plan testing. The OIG\nstated that a memorandum from the Federal agencies stating that annual self-assessments and\nannual contingency plan testing have been completed would be sufficient to meet the intent of\nthe recommendations from the FY 2005 FISMA independent evaluation regarding this finding.\nThe agency is currently working towards obtaining such memoranda. As of September 1, 2007,\nthe agency had received certification and accreditation memoranda for only four of the seven\nsystems provided or operated by other Federal agencies. Due to the current focus on the\ncertification and accreditation phase of systems and scarcity of resources, the anticipated\ncompletion date to receive the rest of the required documentation for systems provided or\noperated by other Federal agencies is December 31, 2007.\n\nRECOMMENDATION\n\n   The Office of the Inspector General recommends that the Executive Director for Operations:\n\n   7. Maintain documentation that demonstrates systems provided by other Federal agencies\n      meet FISMA requirements. This recommendation replaces recommendations #4, #5, and\n      #6 from OIG-05-A-21, Independent Evaluation of NRC\xe2\x80\x99s Implementation of FISMA for\n      Fiscal Year 2005.\n\nFINDING I \xe2\x80\x93 Oversight of Other Contractor Systems Is Lacking (Repeat Finding)\n\nAs in FY 2005 and FY 2006, Carson Associates found that oversight of other contractor systems\nstill is lacking. Of the 11 systems operated by a contractor or other organization on behalf of the\nagency, NRC has direct responsibility for oversight of four of these systems. The agency has\ndemonstrated proper oversight over only one of these systems. This system was issued an ATO\nshortly after the completion of fieldwork for this report. Certification and accreditation for one\nsystem is not scheduled to occur until the 1st Quarter FY 2008, and not until the 2nd Quarter FY\n2009 for another system. The certification and accreditation for the third system has not been\nscheduled to date. As a result, the agency cannot be certain that the information security\nprotections in place for these systems are commensurate with the risk and magnitude of harm\nresulting from unauthorized access, use, disclosure, disruption, modification, or destruction of\nthe information systems.\n\nIn a November 2006 status update, the agency stated that it was in the process of developing\nprocedures for performing oversight of major applications and general support systems operated\nby a contractor or other operation on behalf of the agency. The agency anticipated completion\nand distribution of the procedures no later that December 29, 2006. In a subsequent update in\nJuly 2007, the agency stated that the procedures could be found in Section 4.2 and 4.4 of ISS\nSecurity Procedure ISS-00-001. While this document does describe the FISMA requirements for\ncontractor systems, the agency has failed to actually implement those requirements for three\ncontractor systems.\n\n\n\n\n                                                20\n\x0c                                                                               Independent Evaluation of\n                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\nRECOMMENDATION\n\n      The Office of the Inspector General recommends that the Executive Director for Operations:\n\n      8. Develop and implement procedures for performing oversight of major applications and\n         general support systems operated by a contractor or other organization on behalf of the\n         agency. This recommendation replaces recommendation #7 from OIG-05-A-21,\n         Independent Evaluation of NRC\xe2\x80\x99s Implementation of FISMA for Fiscal Year 2005.\n\n3.4      Evaluation of Quality of Agency System Inventory\n\n                             OMB Requirement                                       OIG Response\n 3.b. The agency has developed a complete inventory of major                 Inventory is 81-95%\n information systems (including major national security systems)             complete\n operated by or under the control of such agency, including an\n identification of the interfaces between each such system and all other\n systems or networks, including those not operated by or under the\n control of the agency.\n 3.c. The IG generally agrees with the Chief Information Officer (CIO)       Yes\n on the number of agency owned systems.\n 3.d. The IG generally agrees with the CIO on the number of                  Yes\n information systems used or operated by a contractor of the agency or\n other organization on behalf of the agency.\n 3.e. The agency inventory is maintained and updated at least                Yes\n annually.\n 3.f. If the Agency IG does not evaluate the Agency\xe2\x80\x99s inventory as 96-       N/A (none missing)\n 100% complete, please identify the known missing systems by\n component/bureau, the Unique Project Identifier (UPI) associated\n with the system as presented in your FY2008 Exhibit 53 (if known),\n and indicate if the system is an agency or contractor system.\n\nFISMA requires agencies to develop and maintain an inventory of major information systems\noperated by or under control of the agency. The inventory must include an identification of the\ninterfaces between each such system and all other systems or networks, including those not\noperated by or under the control of the agency. The inventory must be updated at least annually\nand must also be used to support information resources management. MD and Handbook 12.5\nalso require all interfaces to be included in the inventory, including interfaces with systems or\nnetworks not operated by or under the control of the agency.\n\nWhile FISMA requires agencies to maintain an inventory only of major information systems\n(major applications and general support systems), NRC also tracks two other system types in its\ninventories \xe2\x80\x93 listed and other.\n\n\n\n\n                                                 21\n\x0c                                                                                              Independent Evaluation of\n                                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\n       \xe2\x80\xa2    Listed \xe2\x80\x93 a computerized information system or application that (1) processes sensitive\n            information requiring additional security protections and (2) may be important to an NRC\n            office\xe2\x80\x99s or region\xe2\x80\x99s operations, but which is not a major application or general support\n            system when viewed from an agency perspective. Sensitive data may include individual\n            Privacy Act information, law enforcement sensitive information, sensitive contractual\n            and financial information, safeguards, and classified information. Listed systems would\n            be considered minor applications using NIST terminology.12\n       \xe2\x80\xa2    Other \xe2\x80\x93 an NRC system that does not require additional security protections and is\n            adequately protected by the security provided by the NRC LAN/WAN.\n\nTo address findings from the FY 2005 FISMA independent evaluation regarding the agency\xe2\x80\x99s\ninventory, OIS developed a new centralized system for tracking NRC information systems. Data\nfrom various databases were compared, and any differences were resolved. The new system was\nthen updated with data from biannual data calls, starting in September 2006. The new system\ncontinues to be updated with subsequent data calls. The agency also developed several\nprocedures and guides to assist NRC offices with the biannual data call and to assist the agency\nin maintaining the inventory data in the new system.\n\nCarson Associates found small discrepancies between the inventory of major applications,\ngeneral support systems, and contractor systems reported in the metrics to OMB, and the actual\ncontents of the agency\xe2\x80\x99s new inventory system. The agency has been made aware of these minor\ndiscrepancies and is working to correct them. Carson Associates also found that the agency is\nstill in the process of populating the new inventory system with information on interfaces\nbetween systems.\n\nThe agency is also still working to complete one recommendation from the FY 2006 FISMA\nindependent evaluation regarding the classification of the agency\xe2\x80\x99s Network Continuity of\nOperations (COOP) system. This system was categorized as a listed system, when it should have\nbeen categorized as a general support system. The agency has incorporated the components of\nthe COOP system into existing infrastructure general support systems, and is no longer tracking\nthe COOP system as an individual system. The agency has updated the security categorization\ndocuments for four general support systems to incorporate the appropriate COOP components,\nbut they have not all been approved by the Senior Agency Information Security Officer.\n\nRECOMMENDATION\n\n       The Office of the Inspector General recommends that the Executive Director for Operations:\n\n       9. Complete the updates to the security categorizations of the general support systems into\n          which the Network Continuity of Operations system components have been incorporated.\n          This recommendation replaces recommendation #2 from OIG-06-A-26, Independent\n          Evaluation of NRC\xe2\x80\x99s Implementation of FISMA for Fiscal Year 2006.\n\n\n12\n     An application, other than a major application, that requires attention to security due to the risk and magnitude of\n     harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the\n     application. Minor applications are typically included as part of a general support system.\n\n\n                                                             22\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\nFINDING J \xe2\x80\x93 Agency Methodology Is Flawed for Identifying Which Listed Systems Reside\nOn the NRC Network and Which Do Not (New Finding)\n\nAs stated previously, NRC tracks two other system types in its inventories \xe2\x80\x93 listed and other.\nFor the purposed of certification and accreditation, the agency further categorizes listed systems\nas either networked (i.e., reside on the NRC network) or not networked (i.e., do not reside on the\nNRC network \xe2\x80\x93 systems that stand alone, and/or process safeguards information or classified\ndata). The agency has different certification and accreditation requirements for listed systems\nthat reside on the NRC network and for listed systems that do not reside on the network.\nHowever, the new inventory system does not provide a means to clearly distinguish which listed\nsystems reside on the NRC network and which do not. The new inventory system has fields that\nare used to indicate the types of sensitive data processed by the system (e.g., safeguards\ninformation, Confidential, Secret, Top Secret, etc.). These fields could be used to infer whether\nor not a system resides on the network \xe2\x80\x93 that is, any system that processes these types of\nsensitive data cannot reside on the network. However, if the information in these fields is\nincorrect or incomplete, the agency has no other means of determining whether or not a listed\nsystem resides on the network. As a result, the agency may not be developing the appropriate\ncertification and accreditation documentation for listed systems.\n\nRECOMMENDATION\n\n      The Office of the Inspector General recommends that the Executive Director for Operations:\n\n      10. Develop and implement a methodology for identifying which listed systems reside on the\n          NRC network and which do not.\n\n3.5      Evaluation of Agency POA&M Process\n\n                             OMB Requirement                                     OIG Response\n 4.a. The POA&M is an agency-wide process, incorporating all known Almost Always (96-\n IT security weaknesses associated with information systems used or 100% of the time)\n operated by the agency or by a contractor of the agency or other\n organization on behalf of the agency.\n 4.b. When an IT security weakness is identified, program officials         Almost Always (96-\n (including CIOs, if they own or operate a system) develop, implement,      100% of the time)\n and manage POA&Ms for their system(s).\n 4.c. Program officials and contractors report their progress on            Almost Always (96-\n security weakness remediation to the CIO on a regular basis (at least      100% of the time)\n quarterly).\n 4.d. Agency CIO centrally tracks, maintains, and reviews POA&M             Almost Always (96-\n activities on at least a quarterly basis.                                  100% of the time)\n 4.e. IG findings are incorporated into the POA&M process.                  Almost Always (96-\n                                                                            100% of the time)\n\n\n\n\n                                                23\n\x0c                                                                             Independent Evaluation of\n                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\n                           OMB Requirement                                      OIG Response\n 4.f. POA&M process prioritizes IT security weaknesses to help ensure Almost Always (96-\n significant IT security weaknesses are addressed in a timely manner  100% of the time)\n and receive appropriate resources.\n\nNRC has two primary tools for tracking IT security weaknesses associated with information\nsystems used or operated by the agency or by a contractor of the agency or other organization on\nbehalf of the agency. At a high level, NRC uses the POA&Ms required by OMB to track (1)\ncorrective actions from the OIG annual independent evaluation, (2) corrective actions from the\nagency\xe2\x80\x99s annual review, and (3) recurring FISMA and IT security action items such as annual\nself-assessments and annual contingency plan testing. The POA&Ms may also include\ncorrective actions resulting from other security studies conducted by or on behalf of NRC.\n\nThe more specific corrective actions associated with the certification and accreditation process\n(e.g., corrective actions resulting from risk assessments and security test and evaluation) are\ntracked in Rational\xc2\xae ClearQuest\xc2\xae as change requests using the project management methodology\nprocess for change management. All certification and accreditation corrective actions arising\nfrom the security test and evaluation process and from vulnerability scans are imported into\nRational ClearQuest. A corrective action plan is generated directly from Rational ClearQuest.\nSystem owners are responsible for remediation of each corrective action within the timeframes\nspecified in the corrective action plan using the project management methodology process for\nchange requests.\n\nProcedures for tracking and updating POA&Ms are provided to system owners with the biannual\ndata call and when the agency requests updates to POA&Ms on alternate quarters between the\nbiannual data calls. The project management methodology Web site provides detailed\ninstructions on completing the corrective action plan.\n\nThe agency has made minimal progress in correcting weaknesses reported on its POA&Ms. The\nagency has corrected 35 percent of its program level weaknesses and 23.7 percent of its system\nlevel weaknesses. This is only a slight improvement over FY 2006. The majority of delays have\nbeen caused by delays in completing certifications and accreditations, as described later in this\nreport, in Section 3.7. Refer to Appendix C of this report for a detailed analysis of the POA&Ms\nsubmitted for the first three quarters of FY 2007.\n\nFINDING K \xe2\x80\x93 The Quality of the Agency\xe2\x80\x99s POA&Ms Needs Improvement (New Finding)\n\nIn assessing the agency\xe2\x80\x99s POA&M process, Carson Associates found that (1) the metrics\nsubmitted to OMB often deviated from the actual POA&Ms, and (2) the agency is not always\nfollowing OMB and internal NRC POA&M guidance.\n\nMetrics Submitted to OMB Deviate From the Actual POA&Ms\n\nAs in FY 2005 and FY 2006, Carson Associates found discrepancies between the metrics\nsubmitted to OMB and the actual POA&Ms. In previous FISMA evaluations, the discrepancies\nin the metrics were not considered significant enough to report as a weakness. However, we\n\n\n                                               24\n\x0c                                                                                          Independent Evaluation of\n                                                                           NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\ncontinue to find these discrepancies, and as a result, the agency may not be conveying an\naccurate picture of the agency\xe2\x80\x99s POA&M process and progress to OMB. The most common\nerrors resulting in the discrepancies are:\n\n       \xe2\x80\xa2   Counting weaknesses as closed in more than one quarter.\n       \xe2\x80\xa2   Counting weaknesses as closed when they have not been closed by the OIG.\n           - On the 2nd Quarter FY 2007 POA&M, the agency reported 11 weaknesses from OIG\n               reports as completed when the OIG still considered the weaknesses as resolved13 but\n               not yet closed.\n           - On the 3rd Quarter FY 2007 POA&M, the agency reported two weaknesses from OIG\n               reports as completed when the OIG still considered the weaknesses as resolved but\n               not yet closed.\n       \xe2\x80\xa2   Not counting weaknesses as closed when they have been closed by the OIG prior to the\n           cutoff date for POA&M reporting.\n       \xe2\x80\xa2   Reporting weaknesses as on track when they are actually delayed.\n       \xe2\x80\xa2   Reporting weaknesses as delayed when they are still on track.\n\nThe Agency Is Not Always Following OMB and NRC Internal POA&M Guidance\n\nAs in previous FISMA evaluations, Carson Associates also found that the agency is not always\nfollowing OMB\xe2\x80\x99s POA&M guidance. The agency is also not following NRC internal POA&M\nguidance. The following are some examples of deviations from OMB and NRC internal\nPOA&M guidance found on the FY 2007 POA&Ms.\n\n       \xe2\x80\xa2   Weaknesses with completion dates over a year old are not always removed from the\n           POA&Ms.\n       \xe2\x80\xa2   Weakness with changes made to Schedule Completion Dates.\n       \xe2\x80\xa2   Weaknesses with changes to Changes to Milestones (previously reported milestone\n           changes were removed).\n\nRECOMMENDATION\n\n       The Office of the Inspector General recommends that the Executive Director for Operations:\n\n       11. Develop and implement quality assurance procedures for POA&Ms.\n\n\n\n\n13\n      The OIG uses the term \xe2\x80\x9cresolved\xe2\x80\x9d to refer to a recommendation when it concurs with the agency\xe2\x80\x99s proposed\n     actions to address to the recommendation, but the agency has not completed those actions to close the\n     recommendation.\n\n\n                                                          25\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\n3.6    IG Assessment of the Certification and Accreditation Process\n\n                            OMB Requirement                                      OIG Response\n 5.a. The IG rates the overall quality of the Agency\xe2\x80\x99s certification and    Failing\n accreditation process as:\n 5.b. The IG\xe2\x80\x99s quality rating included or considered the following\n aspects of the C&A process:\n                                                           Security plan X\n                                                     System impact level X\n                                              System test and evaluation X\n                                                 Security control testing X\n                                                                            No (evaluated at the\n                                                       Incident handling\n                                                                            agency level)\n                                                                            No (evaluated at the\n                                            Security awareness training\n                                                                            agency level)\n                                                Configurations/patching X\n                                                                   Other Risk assessment           X\n\nThis section reports on Carson Associate\xe2\x80\x99s assessment of the agency\xe2\x80\x99s certification and\naccreditation process in detail. Section 3.2.1 of this report discusses the actual number of agency\nand contractor systems with a current certification and accreditation. In order to evaluate the\nagency\xe2\x80\x99s certification and accreditation process, Carson Associates evaluated the certification\nand accreditation documents for one of the two systems with a current certification and\naccreditation. We also reviewed the new certification and accreditation process and procedures\nlocated on the agency\xe2\x80\x99s project management methodology Web site, and reviewed accreditation\ndecision memoranda issued by the agency\xe2\x80\x99s authorizing official. We rated the overall quality of\nthe agency\xe2\x80\x99s certification and accreditation process as failing because the agency has completed\nthe certification and accreditation of only two agency systems and one contractor system for\nwhich the agency has direct oversight in the past 2 years. The failing rating does not necessarily\nreflect the actual quality of the process itself. Carson Associates could not perform a complete\nevaluation of the agency\xe2\x80\x99s new certification and accreditation process, as only two systems had\ncompleted certification and accreditation under the new process at the time of our evaluation.\nBased on the certification and accreditation documents we did review, we found that the\nagency\xe2\x80\x99s certification and accreditation process is inconsistent with NIST guidance.\n\nCertification and Accreditation \xe2\x80\x93 Background\n\nThe security certification and accreditation of information systems is integral to an agency\xe2\x80\x99s\ninformation security program and is an important activity that supports the risk management\nprocess required by FISMA. Information systems under development must be certified and\naccredited prior to becoming operational. Operational information systems must be re-certified\n\n\n\n\n                                                26\n\x0c                                                                                             Independent Evaluation of\n                                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\nand re-accredited every 3 years in accordance with Federal policy,14 and whenever there is a\nsignificant change15 to the information system or its operational environment.\n\nThe following diagram16 illustrates the key activities, including certification and accreditation, in\nmanaging enterprise-level risk, i.e., risk resulting from the operation of an information system.\nAs illustrated in the diagram, NIST has developed several standards and guidelines to support the\nmanagement of enterprise risk. NIST SP 800-37, Guide for the Security Certification and\nAccreditation of Federal Information Systems, provides guidelines for certification and\naccreditation.\n\n\n\n\nSecurity certification is a comprehensive assessment of the management, operational, and\ntechnical security controls that are planned or in place in an information system to determine the\nextent to which the controls are (1) implemented correctly, (2) operating as intended, and (3)\nproducing the desired outcome with respect to meeting the security requirements for the\ninformation system. The results of a security certification are used to reassess the risks and\n\n14\n    OMB Circular A-130, Appendix III.\n15\n    Examples of significant changes to an information system that should be reviewed for possible re-accreditation\n   include (1) installation of a new or upgraded operating system, middleware component, or application; (2)\n   modifications to system ports, protocols, or services; (3) installation of a new or upgraded hardware platform or\n   firmware component; and (4) modifications to cryptographic modules or services. Changes in laws, directives,\n   policies, or regulations, while not always directly related to the information system, can also potentially affect the\n   system security and trigger a re-accreditation action.\n16\n    The diagram was adapted from a diagram found in the NIST presentation \xe2\x80\x9cBuilding More Secure Information\n   Systems: A Strategy for Effectively Applying the Provisions of FISMA,\xe2\x80\x9d dated July 29, 2005\n   (http://csrc.nist.gov/sec-cert/PPT/fisma-overview-July29-2005.ppt).\n\n\n                                                            27\n\x0c                                                                                          Independent Evaluation of\n                                                                           NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\nupdate the system security plan, thus providing the factual basis for an authorizing official17 to\nrender a security accreditation decision. Security certification can include a variety of\nassessment methods (e.g., interviewing, inspecting, studying, testing, demonstrating, and\nanalyzing) and associated assessment procedures depending on the depth and breadth of\nassessment required by the agency.\n\nSecurity accreditation is the official management decision given by a senior agency official to\n(1) authorize operation of an information system and (2) explicitly accept the risk to agency\noperations, agency assets, or individuals based on the implementation of an agreed-upon set of\nsecurity controls. By accrediting an information system, an agency official accepts responsibility\nfor the information system\xe2\x80\x99s security.\n\nThere are three types of accreditation decisions that can be rendered by authorizing officials: (1)\nATO, (2) interim authorization to operate (IATO), and (3) denial of authorization to operate.\n\n       \xe2\x80\xa2   Authorization to Operate \xe2\x80\x93 issued if, after assessing the results of the security\n           certification, the authorizing official deems that the risk to agency operations, agency\n           assets, or individuals is acceptable.\n       \xe2\x80\xa2   Interim Authorization to Operate \xe2\x80\x93 issued if, after assessing the results of the security\n           certification, the authorizing official deems that the risk to agency operations, agency\n           assets, or individuals is unacceptable, but there is an overarching mission necessity to\n           place the information system into operation or continue its operation. An IATO is\n           rendered when the security vulnerabilities identified in the information system (resulting\n           from deficiencies in the planned or implemented security controls) are significant but can\n           be addressed in a timely manner. An IATO provides a limited authorization to operate\n           the information system under specific terms and conditions and acknowledges greater\n           risk to the agency for a specified period of time. In accordance with OMB policy, an\n           information system is not accredited during the period of limited authorization to operate.\n           The duration established for an IATO should be commensurate with the risk to agency\n           operations, agency assets, or individuals associated with the operation of the information\n           system. When the security-related deficiencies have been adequately addressed, the\n           IATO should be lifted and the information system authorized to operate.\n       \xe2\x80\xa2   Denial of Authorization to Operate \xe2\x80\x93 issued if, after assessing the results of the security\n           certification, the authorizing official deems that the risk to agency operations, agency\n           assets, or individuals is unacceptable. The information system is not accredited and\n           should not be placed into operation. If the information system is currently operational, all\n           activity should be halted.\n\nThe FY 2005 FISMA independent evaluation found that the majority of NRC information\nsystems (19 of 27) were not certified and accredited because (1) the certification and\naccreditation had lapsed or was never completed and (2) NRC information systems were being\nre-certified and re-accredited using new NIST requirements.18 As a result, potential risks to\n\n17\n     The agency refers to the authorizing official as the designated approving authority.\n18\n     NRC information systems are being re-certified and re-accredited in accordance with the minimum security\n     controls for information systems defined in NIST SP 800-53.\n\n\n                                                          28\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\nagency information systems were unknown. Subsequent to the FY 2005 FISMA independent\nevaluation, the former Chairman directed the agency to submit a plan (1) to refocus the agency\xe2\x80\x99s\nFISMA program for FY 2006 and (2) for an independent review of NRC\xe2\x80\x99s FISMA program.\n\nNRC Refocused Information System Security Program\n\nUnder the refocused program, the agency proposed performing certification and accreditation of\nsystems that are a high priority from a mission perspective and others that potentially pose a\nhigher security risk (e.g., agency systems that communicate with systems outside the NRC\nnetwork). These high priority systems included legacy financial systems, two new systems, and\ninfrastructure components supporting these high priority systems. In a February 2006\nmemorandum to office directors and regional administrators, the agency stated it planned to\ncomplete the certification and accreditation for the high priority systems by the first quarter of\nFY 2007.\n\nThe first phase of the refocused program also included the development of a new certification\nand accreditation process, which has been finalized. The agency has finalized the templates for\nall certification and accreditation documents as well as instructions for completing the templates.\nThe updated certification and accreditation process was also integrated into the agency\xe2\x80\x99s new\nproject management methodology. One of the agency\xe2\x80\x99s operational major applications was\nchosen to \xe2\x80\x9cpilot\xe2\x80\x9d the new process and documentation standards, in part, to ensure the new\nprocess is repeatable.\n\nIn response to the two significant deficiencies identified by the FY 2006 FISMA independent\nevaluation, the agency developed a plan to achieve full accreditation for 15 major\napplications/general support systems by August 30, 2007, and full accreditation of the remaining\n15 major applications/general support systems by August 30, 2008. The agency\xe2\x80\x99s goal was to\nhave six systems accredited by January 31, 2007. The agency did not meet this goal, and has\nchanged the priorities of and schedule for the certification and accreditation efforts multiple\ntimes since the first schedule under the refocused program was issued in February 2006. As of\nthe completion of fieldwork, the agency has completed the certification and accreditation of only\ntwo agency major applications/general support systems. The certification and accreditation for\nthe system originally chosen to \xe2\x80\x9cpilot\xe2\x80\x9d the new process and documentation standards still has not\nbeen completed.\n\nEven with the new certification and accreditation process, the refocused information system\nsecurity program, and the award of a multi-year, multi-million dollar contract to provide the\nagency with consolidated information system security services, the agency has completed\ncertification and accreditation of only two agency systems and one contractor system for which\nthe agency has direct oversight in the past 2 years. In the meantime, the certifications and\naccreditations for all of the agency\xe2\x80\x99s remaining 28 operational systems have expired.\n\nThe FY 2005 FISMA independent evaluation made two recommendations to address the lack of\ncertified and accredited systems: (1) develop and implement procedures for monitoring timely\ninitiation of certification and accreditation efforts, and (2) develop and implement a mechanism\nfor holding responsible managers and their staff accountable for completing certification and\naccreditation efforts in a timely manner. However, the agency is still in the process of\n\n\n                                                29\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\nimplementing the first recommendation. According to the agency, the target date for developing\nand implementing procedures for monitoring timely initiation of certification and accreditation\nefforts was July 30, 2007. This target date was not met.\n\nAs stated previously, it constitutes a significant deficiency that only 2 of the 30 operational NRC\ninformation systems have a current certification and accreditation and only 5 of the 11 systems\nused or operated by a contractor or other organization on behalf of the agency have a current\ncertification and accreditation.\n\nIndependent Review of NRC\xe2\x80\x99s Information System Security Program\n\nAt the request of the former Chairman, the agency engaged outside expertise to perform an\nindependent review of the adequacy of the agency\xe2\x80\x99s internal processes used to provide security\nto its information systems. NRC selected the Carnegie Mellon University\xe2\x80\x99s Software\nEngineering Institute to perform the independent review. Their approach to determining the\nadequacy of the agency\xe2\x80\x99s processes used to protect and secure its IT systems included the\nfollowing tasks:\n\n   \xe2\x80\xa2   Assist the NRC to understand the capability of its information system security program as\n       compared to other similar-sized Government agencies, and assist the agency to improve\n       its information system security program.\n   \xe2\x80\xa2   Review the NRC certification and accreditation process to determine its consistency with\n       NIST policies and guidance.\n   \xe2\x80\xa2   Provide NRC leadership with guidance for certification and accreditation efforts,\n       including benchmarks for cost, duration, resource commitment, and compliance\n       reporting.\n\nThe final report was issued on November 13, 2006, and included 23 recommendations and 5\nadditional recommendations to consider. The agency submitted the report to the Commission on\nNovember 30, 2006, along with plans for addressing the recommendations made in the report.\nThe agency stated that several recommendations address issues that span the agency\xe2\x80\x99s entire\ninformation security program, including functions residing in other offices. The agency also\nstated that the staff would provide an analysis of these issues along with options regarding the\nassociated recommendations for Commission consideration in a separate Commission paper.\nThe agency is currently working on developing a new security organization and reporting\nframework to address the implementation of these recommendations, but has not issued any\nfurther communication to the Commission on its progress.\n\nFINDING L \xe2\x80\x93 The Agency\xe2\x80\x99s Certification and Accreditation Process Is Inconsistent With\nNIST Guidance (New Finding)\n\nCarson Associates assessment of the agency\xe2\x80\x99s certification and accreditation process found that it\nis inconsistent with NIST guidance. Specifically we found that (1) the issuance of IATOs is still\ninconsistent with NIST guidance, and (2) certification and accreditation documents completed\nusing the new procedures are inconsistent with NIST guidance.\n\n\n\n                                                30\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\nIssuance of Interim Approvals To Operate Is Still Inconsistent With NIST Guidance\n\nAs stated previously, there are three types of accreditation decisions that can be rendered by\nauthorizing officials: (1) an ATO, (2) an IATO, and (3) denial of authorization to operate. A full\nand complete certification and accreditation package is necessary for an authorizing official to\nrender an accreditation decision. A complete certification and accreditation includes a security\nplan (which includes or references a risk assessment), a security assessment report, and a\nPOA&M.\n\nIn prior years, the agency allowed current (legacy) systems to operate under an IATO prior to the\ncompletion of certification and accreditation, while concurrently pursuing authority to operate\nfor new systems. However, OMB has clarified that allowing systems to operate under an IATO\nwould not be an acceptable approach for the certification and accreditation of systems. NRC\nnow bases the decision to issue an IATO on the submission of the following documents:\n\n   \xe2\x80\xa2   NRC Form 616 \xe2\x80\x93 Notification of Electronic Information System Design or Modification\n   \xe2\x80\xa2   NRC Form 637 \xe2\x80\x93 NRC Electronic Information System Records Scheduling Survey\n   \xe2\x80\xa2   Privacy Impact Assessment\n   \xe2\x80\xa2   Security Categorization (which includes an e-Authentication risk assessment)\n\nIssuance of an IATO based on the submission of these documents is inconsistent with NIST\nguidance. None of these documents describe the actual risks that exist in the systems or identify\nthreats and vulnerabilities that could expose the agency\xe2\x80\x99s information and information systems to\nan unacceptable level of risk. Such information is necessary for the authorizing official to\ndetermine whether the risk to agency operations, agency assets, or individuals, based on the\nimplementation of an agreed-upon set of security controls for these systems, is acceptable.\n\nThe following is a summary of some of the agency\xe2\x80\x99s systems that are currently operating under\nan IATO.\n\n   \xe2\x80\xa2   Three systems\xe2\x80\x99 last certification and accreditation expired more than 1 year ago.\n   \xe2\x80\xa2   Two systems\xe2\x80\x99 last certification and accreditation expired more than 2 years ago.\n   \xe2\x80\xa2   Two general support systems were identified when the LAN/WAN was divided into\n       several general support systems. There is insufficient documentation to determine\n       whether these systems are fully covered by the previous LAN/WAN certification and\n       accreditation.\n   \xe2\x80\xa2   One agency system has never had a complete certification and accreditation and does not\n       even have a security plan or risk assessment.\n\nThe agency may have some understanding of the threats, vulnerabilities, and risks associated\nwith the systems operating under an IATO that have (1) an expired certification and\naccreditation, (2) a risk assessment, or (3) a security plan. However, these documents are now\noutdated. As noted above, there are several systems operating under an IATO that have never\nhad a risk assessment and do not have a security plan. For these systems, the authorizing official\n\n\n\n                                                31\n\x0c                                                                               Independent Evaluation of\n                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\ncannot make an informed decision regarding whether the risk to agency operations, agency\nassets, or individuals is acceptable.\n\nAs stated previously, the Software Engineering Institute evaluated the agency\xe2\x80\x99s certification and\naccreditation process. One of its recommendations was to make accreditation decisions based on\na set of documents that provide an accurate identification and mitigation of risk, regardless of\nwhether the authorizing official ultimately decides to grant an ATO, an IATO, or deny operation.\nThe report also recommended that in addition to the security categorization, the agency should\nalso require a system security plan prior to issuing an IATO. The agency stated in its response to\nthe report that staff will ensure that the documentation upon which the accreditation is based\ncontains an accurate identification of risk as well as any risk mitigation plans, and agreed that\nsecurity plans should also be required.\n\nHowever, the agency continues to issue IATOs without documentation that includes accurate\nidentifications of risks, risk mitigation plans, or security plans.\n\nRECOMMENDATION\n\n   The Office of the Inspector General recommends that the Executive Director for Operations:\n\n   12. Follow NIST guidance and only issue IATOs with documentation that includes accurate\n       identification of risks, risk mitigation plans, and security plans.\n\nCertification and Accreditation Documents Completed Using New Procedures Are Inconsistent\nWith NIST Guidance\n\nCarson Associates reviewed the certification and accreditation documents for one agency system\nthat was completed using the new certification and accreditation process and templates. Our\nreview found that several documents are inconsistent with NIST guidance.\n\nSecurity Test and Evaluation\n\nAs stated earlier, NIST SP 800-37 provides guidance on the certification and accreditation\nprocess. In the security categorization phase, task 4, subtask 4.3 (security control assessment,\nsecurity assessment) includes determining the extent to which the security controls are\nimplemented correctly, operating as intended, and producing the desired outcome with respect to\nmeeting the security requirements for the system. At the completion of task 4, the certification\nagent will be able to determine the extent to which the security controls in the information\nsystem are implemented correctly, operating as intended, and producing the desired outcome\nwith respect to meeting the security requirements for the information system. The third phase of\nthe certification and accreditation process is the security accreditation phase. The objective of\ntask 6 of this phase (security accreditation decision) is to determine (1) the risk to agency\noperations, agency assets, or individuals and (2) if the agency-level risk is acceptable.\n\nThe system\xe2\x80\x99s security test and evaluation execution report stated that testing was limited to the\n40 percent of the assurance controls selected by the NRC Senior Agency Information Security\nOfficer for pre-approval to operate testing, and all of the functional security controls for the\n\n\n                                                32\n\x0c                                                                                            Independent Evaluation of\n                                                                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\nsystem. A total of 54 controls and 12 control enhancements stated as in-place in either the risk\nassessment or security plan were tested. However, 36 controls and 27 control enhancements\nstated as in-place were not tested. Some were hybrid controls, which are controls implemented\nby the system as well as by other systems, typically general support systems, which also provide\nthat control. However, some were controls specific to the system being tested.\n\nThis is the first certification and accreditation for this system, so none of its security controls had\nbeen tested prior to the security test and evaluation conducted as part of the certification and\naccreditation. NIST SP 800-37 specifically states that the organization must assess all security\ncontrols in an information system during the initial security accreditation. If all of the security\ncontrols have not been tested, the certification agent cannot determine the extent to which the\nsecurity controls in the information system are implemented correctly, operating as intended, and\nproducing the desired outcome with respect to meeting the security requirements for the\ninformation system. The authorizing official stated the following in the approval to operate\nmemorandum for this system: \xe2\x80\x9cThis security accreditation is my formal declaration that adequate\nsecurity controls have been implemented in the information system and that a satisfactory level\nof security is present in the system.\xe2\x80\x9d It is not possible to determine whether adequate security\ncontrols have been implemented if not all of the security controls have been tested.\n\nRisk Assessment\n\nIn the security categorization phase, task 5, subtask 5.2 (security certification documentation,\nsystem security plan update) includes updating the system security plan (and risk assessment)\nbased on the results of the security test and evaluation and any modifications to the security\ncontrols in the information system. At the completion of the security certification phase, the\nsecurity plan and risk assessment should contain an accurate list and description of the security\ncontrols that are implemented (in place) and a list of identified vulnerabilities (i.e., controls that\nare not implemented or planned).\n\nHowever, the system\xe2\x80\x99s risk assessment was not updated to reflect the results of the security test\nand evaluation. There were seven security controls and one enhancement that were determined\nto be not in place during the security test and evaluation. The risk assessment should have been\nupdated to reflect that these controls are not in place, and the risks associated with the lack of\nthese controls should have been re-evaluated.\n\nSecurity Plan\n\nNIST SP 800-18, Revision 1, Guide for Developing Security Plans for Federal Information\nSystems, provides guidance for the development of security plans. Each control description\nshould contain: (1) the security control title, (2) how the security control is being implemented or\nplanned to be implemented, (3) any scoping guidance that has been applied and what type of\nconsideration, and (4) indication of whether the security control is a common control and who is\nresponsible for its implementation. The use of compensating controls should also be\ndocumented in the system security plan.19\n\n19\n      Compensating security controls are the management, operational, or technical controls employed by an agency in\n     lieu of prescribed controls in the low, moderate, or high security control baselines, which provide equivalent or\n\n\n                                                            33\n\x0c                                                                                           Independent Evaluation of\n                                                                            NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\n\n\nThe system\xe2\x80\x99s security plan makes no reference to scoping guidance that has been applied, and\nmakes no specific mention of compensating controls. There are several controls that have had\nscoping guidance applied. For example, the access control AC-18 (wireless access restrictions)\nis noted as being not applicable. In this case, scoping guidance has been applied to remove this\ncontrol from the moderate-impact baseline applied to the system. The security plan should have\nnoted the type of scoping guidance \xe2\x80\x93 in this case, technology-related \xe2\x80\x93 that was applied to the\ncontrol. There are also several controls that require compensating controls. There are eight\ncontrols and one control enhancement that are noted as \xe2\x80\x9cnot planned\xe2\x80\x9d in the security plan. If\nthese controls are not in place, and not planned, then there must be compensating controls in\nplace to provide equivalent or comparable protection for the controls not in place.\n\nRECOMMENDATION\n\n      The Office of the Inspector General recommends that the Executive Director for Operations:\n\n      13. Develop and implement quality assurance procedures to ensure certification and\n          accreditation documentation is consistent with NIST guidance.\n\n3.7      IG Assessment of Agency Privacy Program and Privacy Impact\n         Assessment Process\n\n3.7.1 Privacy Impact Assessment Process\n\n                                 OMB Requirement                                               OIG Response\n 6.a. Provide a qualitative assessment of the agency\xe2\x80\x99s Privacy Impact                     Excellent\n Assessment (PIA) process, including adherence to existing policy,\n guidance, and standards.\n\nCarson Associates evaluated the agency\xe2\x80\x99s PIA process against the questions from the PIA and\nWeb Privacy Policies and Processes section of the OMB Reporting Template for Senior Agency\nOfficials for Privacy.\n\n6.a.1. Does the agency have a written policy or process for determining whether a PIA is\n       needed?\n\nMD and Handbook 3.2, Privacy Act, requires office directors and regional administrators to\nensure that PIAs are prepared and submitted to OIS before developing or procuring IT that\ncollects, maintains, or disseminates personal information about individuals or when initiating a\nnew electronic collection of personal information in identifiable form20 from 10 or more persons.\nIn accordance with the agency\xe2\x80\x99s project management methodology, a PIA is required for all\ninvestments at the inception phase of the development lifecycle. PIAs are also part of the\n\n   comparable protection for an information system. The use of compensating security controls must be reviewed,\n   documented in the system security plan, and approved by the authorizing official for the information system.\n20\n   Information in identifiable form is information that permits the identity of the individual to whom the information\n   applies to be reasonably inferred directly or indirectly.\n\n\n                                                          34\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\nagency\xe2\x80\x99s certification and accreditation process. ISS-01-001, Revision 0, PIA Procedures, dated\nAugust 30, 2006, requires a PIA (or update of an existing PIA) for each legacy system requiring\nre-certification and re-accreditation.\n\n6.a.2. Does the agency have a written policy or process for conducting a PIA?\n\nThe agency has developed procedures (ISS-01-001) and a template for conducting PIAs. The\nprocedures provide a detailed discussion of how to complete PIA and include guidance on how\nto complete certain questions on the PIA. MD and Handbook 3.2 require the OIS Business\nProcess Improvement and Applications Division (BPIAD) Director to ensure that PIAs are\nconducted, reviewed, and approved before NRC collects information in an identifiable form or\nbefore developing or procuring IT that collects, maintains, or disseminates such information.\nThe OIS Information and Records Services Division (IRSD) Director is required to ensure that\nPIAs are reviewed to address the applicability of the Privacy Act, the Paperwork Reduction Act\ninformation collections requirements, and records management requirements. Once IRSD has\ncompleted its review and approved a PIA, IRSD is responsible for declaring the PIA as an\nofficial agency record in agency\xe2\x80\x99s records management system.\n\n6.a.3. Does the agency have a written policy or process for evaluating changes in business\n       process or technology that the PIA indicates may be required?\n\nPIAs are part of the agency\xe2\x80\x99s project management methodology and certification and\naccreditation process. Any changes in business process or technology indicated by a PIA would\nbe handled in accordance with these processes.\n\n6.a.4. Does the agency have a written policy or process for ensuring that system owners and\n       privacy and IT experts participate in conducting the PIA?\n\nOffices/system owners are responsible for preparing a PIA for each IT project/system they\nsponsor and submitting it to OIS for review and approval. The PIA undergoes review several\ntimes during development by privacy and IT experts, including the agency Privacy Program\nOfficer, IRSD privacy and records staff, the computer security team, and the agency\xe2\x80\x99s Senior\nAgency Information Security Officer.\n\n6.a.5. Does the agency have a written policy or process for making PIAs available to the public\n       in the required circumstances?\n6.a.6. Does the agency have a written policy or process for making PIAs available in other than\n       required circumstances?\n\nPIAs for systems that collect information from or about members of the public are made publicly\navailable and posted on the NRC external Web, unless making the PIA public would raise\nsecurity concerns, reveal classified (i.e., national security) information or sensitive information\n(e.g., potentially damaging to a national interest, law enforcement effort or competitive business\ninterest) contained in the assessment. The sponsoring office is responsible for performing the\nreview that determines if the PIA can be made public or not. Should an office wish to post a PIA\non the external Web that does not collect information from or about members of the public, the\n\n\n                                                35\n\x0c                                                                                             Independent Evaluation of\n                                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\noffice must inform the Privacy Program Officer that it has completed a review and that there is\nnothing in the PIA that would preclude it from being made public. The Privacy Program Officer\nchanges the availability of the document in the agency\xe2\x80\x99s records management system and has it\nposted on the agency\xe2\x80\x99s external Web site.\n\n6.a.5. Does the agency have a written policy or process for determining continued compliance\n       with stated Web policies?\n\nMD and Handbook 3.14, U.S. Nuclear Regulatory Commission External Web Site, include\npolicies and procedures to ensure that (1) operation of the site complies with applicable laws and\nregulations, (2) all content on the external Web site contributes to increasing public confidence\nin the NRC and to making conducting business with the NRC more efficient and effective, and\n(3) the content (i) reflects agency policy; (ii) is accurate, current, and easy to find; (iii) is\naccessible by all site users, including those with disabilities; (iv) adheres to best practices for\nWeb usability; (v) does not unfairly promote one organization or commercial entity over others;\nand (vi) is published only once and is referenced by links when the same content is related to\nmore than one topic.\n\nThe MD and Handbook are augmented by additional guidance on the agency\xe2\x80\x99s internal Web site.\nThe additional guidance includes interface requirements for Web-based software applications,\nrequirements and best practices for Government Web managers, and information on who\nparticipates in Web publishing. The agency\xe2\x80\x99s process for publishing content to the agency\xe2\x80\x99s\nexternal Web site includes five basis steps: (1) initial authorization of content, (2) screening\ncontent, (3) preparing content, (4) formatting content, and (5) publishing content. During the\nscreening step, the content is checked for Web suitability, and includes checks for copyright,\nOMB information collection requirements, persistent cookies, privacy, and sensitivity. The Web\nsite includes numerous instructions and checklists for each step of the publishing process.\n\n6.a.6. Does the agency have a written policy or process for requiring machine-readability of\n       public-facing agency Web sites (i.e., use of P3P21)?\n\nAs MD and Handbook MD 3.14 were last issued prior to the OMB memorandum requiring that\nprivacy policies be translated into a standardized machine-readable format, the agency has\nposted this requirement on its internal Web site.\n\n\n\n\n21\n     The Platform for Privacy Preferences Project (P3P) enables Web sites to express their privacy practices in a\n     standard format that can be retrieved automatically and interpreted easily by user agents.\n\n\n                                                            36\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\n3.7.2 Progress in Implementing OMB M-06-15\n\n                           OMB Requirement                                       OIG Response\n 6.b. Provide a qualitative assessment of the agency\xe2\x80\x99s progress to date     Excellent\n in implementing the provisions of M-06-15, \xe2\x80\x9cSafeguarding Personally\n Identifiable Information,\xe2\x80\x9d since the most recent self-review, including\n the agency\xe2\x80\x99s policies and processes, and the administrative, technical,\n and physical means used to control and protect personally identifiable\n information (PII).\n\nIn its FY 2006 FISMA submission to OMB, the agency reported that in response to OMB M-06-\n15, it conducted a review of physical and personnel security, and administrative and technical\npolicies and processes related to the prevention of the intentional or negligent misuse of, or\nunauthorized access to PII. Subsequent to that review, the agency has made significant progress\nin implementing the provisions of M-06-15 as well as subsequent memoranda issued by OMB\nregarding privacy and PII.\n\nTo ensure that all agency personnel are familiar with the requirements of the Privacy Act, the\nagency\xe2\x80\x99s implementing regulation, and any other special requirements (i.e., handling PII), NRC\nissues regular announcements to all employees. These announcements provide general guidance\nor address specific issues. Each notice directs agency personnel to an internal Privacy Act Web\npage which provides staff access to guidance, regulations, procedures, and training in the area of\nthe Privacy Act. The agency has issued the following announcements regarding the Privacy Act\nand the protection of PII.\n\n   \xe2\x80\xa2   NRC Yellow Announcement YA-06-0039, Safeguarding Personal Privacy Information,\n       June 22, 2006\n   \xe2\x80\xa2   NRC Yellow Announcement YA-06-0069, Protection of Personally Identifiable\n       Information, September 19, 2006\n   \xe2\x80\xa2   NRC Yellow Announcement YA-07-0071, Privacy at the NRC, July 18, 2007\n\nThe agency created a PII poster that has been displayed in all agency buildings. Smaller copies\nof the poster are displayed throughout agency offices. The agency also maintains a PII project\nWeb page that describes the agency\xe2\x80\x99s activities related to the protection of PII. This Web page\ncontains information such as (1) frequently asked questions; (2) how to report inadvertent\nreleases of PII; (3) links to OMB, Office of Personnel Management, and NRC PII policy; (4)\ninformation on the agency\xe2\x80\x99s PII task force (e.g., background and charter, membership, and\nmeeting minutes); and (5) information on automated tools available to assist in searching for files\nthat contain PII.\n\nIn addition to the activities requested by OMB, NRC conducted a thorough review of documents\nin the public library of the agency\xe2\x80\x99s document management system to identify and secure any\ndocuments that contained a Social security number (SSN). The documents containing PII were\nremoved from the public library immediately. All current and former NRC employees whose\nSSNs were available in the public library were notified. NRC is in the process of finalizing\n\n\n                                                37\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\nnotification letters to the non-NRC entities who submitted the documents with SSNs to the\npublic library. NRC is also working on identifying and notifying the non-NRC staff whose SSNs\nwere made available in NRC correspondence. NRC also notified OMB and the Department of\nHomeland Security about the PII contained in documents placed in the public library of the\nagency\xe2\x80\x99s documents management system.\n\nIn response to OMB-06-16, Protection of Sensitive Agency Information, dated June 23, 2006, the\nagency implemented short-term plans to (1) focus on improving staff awareness, (2) review and\nupdate current direction to reflect the new OMB recommendations related to PII, and (3) assist\noffices in identifying current data sources with PII information. The agency\xe2\x80\x99s security awareness\ntraining was updated to reflect PII data requirements. The agency also created an interoffice task\nforce to determine the business processes that include PII, including data collection resulting\nfrom NRC information collections and NRC forms, and to revise agency direction, as\nappropriate, on the use of PII. Other short-term plans include: (1) developing a detailed plan and\nschedule to complete a comprehensive review of the main and public libraries of the agency\xe2\x80\x99s\ndocuments management system to identify and secure documents containing PII other than\nSSNs; and (2) asking contract project managers to have current contractors inventory PII in their\npossession, and then determine the contractor\xe2\x80\x99s need to possess the PII.\n\nMid-term activities focus on implementing mitigation strategies to protect PII from unauthorized\nuse. The agency is evaluating major systems that use PII, and is consolidating its automated\ninventory system in order to further ensure all systems that utilize PII have been identified and\nare appropriately managed. The agency is also developing mitigation techniques to eliminate PII\nwhere possible on agency systems identified or to ensure that PII is managed in a safe and secure\nmanner.\n\nLong-term goals include (1) updating MD and Handbook 12.5 to reflect to reflect PII direction;\n(2) identifying, protecting, and monitoring access to PII through completion of certification and\naccreditation of NRC\xe2\x80\x99s major systems; and (3) designing, developing, and implementing a\nuniform enterprise security architecture based upon Federal and commercial \xe2\x80\x9cbest practices.\xe2\x80\x9d\n\nThe agency has issued guidance on (1) the use of mobile computers and devices (NRC-owned\nand personally owned) to store PII, (2) the removal of paper documents that contain PII from\nNRC-controlled space, (3) the use of NRC remote access services to access systems containing\nPII, and (4) password-protection of mobile devices. The agency\xe2\x80\x99s remote access system invokes\na forced logout after 30 minutes of user inactivity, and BlackBerry devices have a system-\nenforced logout after 15 minutes of inactivity.\n\nAs a result of a report issued by the OIG in FY 2006, the CIO directed offices to conduct an\nimmediate review of all network drives for the presence of personal privacy information and\nremove any information that should not be posted on a network drive unless access to that\ninformation is appropriately restricted to users with a \xe2\x80\x9cneed to know.\xe2\x80\x9d OIS provided the offices\nwith guidance, support, and an automated tool to assist the staff in searching and identifying\ndocuments with personal privacy information. This initial effort was completed in April 2007.\nThe agency is still developing policies and procedures for performing periodic reviews of\nnetwork drives for the presence of personal privacy information.\n\n\n\n                                                38\n\x0c                                                                                           Independent Evaluation of\n                                                                            NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\n\n\n3.8        Configuration Management\n\n                                   OMB Requirement                                              OIG Response\n 7.a. Is there an agency-wide security configuration policy?                              Yes\n 7.b. Approximate the extent to which applicable information systems                      Rarely (0-50% of the\n apply common security configurations established by NIST.                                time)\n\nThe agency has implemented several policies that address security configurations and their\nimplementation. System security screening guidelines were developed to prepare new systems\nfor implementation into the NRC production operating environment. The security screening\nensures that system configurations meet NRC network security requirements. The guidelines\noutline the steps necessary to request and perform the security screening process, provide\nguidance on managing and developing a secure system, and list industry best practices and\nadditional resources.\n\nThe agency has also posted guidance on the NRC internal Web site requiring the use of\nhardening specifications for the different operating systems and software in use at the agency.\nHardening specifications in use at the agency include benchmarks developed by the Center for\nInternet Security, the Defense Information Systems Agency (DISA) Gold Disk,22 National\nSecurity Agency security configuration guides, and custom hardening specifications developed\nby the agency. The agency requires the use of the most recent version of the specified hardening\nspecifications.\n\nNRC uses PatchLink to keep desktop configurations consistent across NRC. Network Bulletins\nare used to announce agency workstation updates. The announcements describe the nature of the\nupgrade and whether or not a workstation restart is required after the patches are installed.\n\nNRC also requires all new acquisitions to include language to ensure that information technology\nproviders certify their products operate effectively using the common security configurations\nrequired by OMB memorandum M-07-18, Ensuring New Acquisitions Include Common Security\nConfigurations.\n\nCarson Associates could not fully determine the extent to which applicable information systems\napply common security configurations established by NIST. The agency did not provide the list\nof NIST or NIST-approved configurations in use at the agency until the last day of fieldwork.\nThere was insufficient time to select a representative set of information systems to compare\nagainst the stated security configurations for the various operating systems and software in use at\nthe agency.\n\nCarson Associates did review the security test and evaluation results for the agency system\nselected for evaluation in FY 2007. DISA Gold Disk scans of the servers that support this\n\n22\n      The DISA Gold Disk is a tool that allows a system administrator to scan a system for vulnerabilities, make\n     appropriate security configuration changes, and apply security patches. The Gold Disk uses an automated process\n     that configures a system in accordance with DISA Security Technical Implementation Guidelines.\n\n\n                                                           39\n\x0c                                                                                           Independent Evaluation of\n                                                                            NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\nsystem found that none of the servers were in compliance with the NRC-specified hardening\nspecifications for those operating systems.\n\n3.9        Incident Reporting\n\n                                   OMB Requirement                                             OIG Response\n 8.a. The agency follows documented policies and procedures for                          Yes\n identifying and reporting incidents internally.\n 8.b. The agency follows documented policies and procedures for                          Yes\n reporting to US-CERT.\n 8.c. The agency follows documented policies and procedures for                          Yes\n reporting to law enforcement.\n\nMD and Handbook 12.5, Appendix B, formalizes the agency\xe2\x80\x99s procedures for monitoring,\ndetecting, reporting, and responding to information systems security incidents. It also provides\nthe requirements and procedures for reporting incidents internally, for reporting to US-CERT,23\nand for reporting to law enforcement. The most current version of the incident response\nprocedures is maintained on the agency\xe2\x80\x99s internal Web site.\n\nThe Management Directive defines the roles and responsibilities for reporting and responding to\ninformation system security incidents. When criminal activity is suspected or confirmed, the\nprocedures assign the OIG responsibility for contacting and coordinating the response with law\nenforcement officials.\n\nCarson Associates reviewed samples of various incident response reports to determine whether\nthe agency follows documented policies and procedures for identifying and reporting incidents.\n\n3.10       Security Awareness Training\n\n                                   OMB Requirement                                             OIG Response\n 9. Has the agency ensured security awareness training of all                            Almost Always (96-\n employees, including contractors and those employees with significant                   100% of employees)\n IT security responsibilities?\n 10. Does the agency explain policies regarding peer-to-peer file         Yes\n sharing in IT security awareness training, ethics training, or any other\n agency wide training?\n\nAll new NRC employees (including contractors, interns, and summer hires) are required to\nattend orientation the first day they report for duty. During the orientation, a member of the\nNRC Computer Security Team gives a brief presentation, which includes a discussion on\nappropriate use of information technology equipment. In addition, a member of the Office of the\n\n\n23\n      The procedures actually reference reporting to the Federal Computer Incident Response Center, which was\n     replaced with the US-CERT when the Department of Homeland Security was established.\n\n\n                                                          40\n\x0c                                                                                            Independent Evaluation of\n                                                                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\nGeneral Counsel presents a session on ethics that includes additional discussions on appropriate\nuse of the Internet.\n\nFor FY 2007, all employees, including contractors, were required to attend in-person IT security\ntraining to ensure all employees are aware of their personal IT security responsibilities. Training\nsessions took approximately 3 hours and were held between October 2006 and December 2006,\nwith a few makeup sessions scheduled in early January 2007. Employees hired since these\ntraining sessions were over are required to watch a video of the course (either online or on\nDVD). As of April 2007, the agency had achieved 100-percent compliance. The agency used\nNIST SP 800-16, Information Technology Security Training Requirements: A Role- and\nPerformance-Based Model, and NIST SP 800-50, Building an Information Technology Security\nAwareness and Training Program, for sources of topics for the training course. The presentation\nslides from the course, the participant manual, and the NRC User Responsibilities for IT Security\nGolden Book are available online on the NRC internal Web site. The agency has also posted\nquestions and answers from the various training sessions on the NRC internal Web site.\n\nAll Information System Security Officers and IT managers are required to take an additional\nonline IT security awareness training course in addition to the required security awareness\ntraining described above. This additional IT security awareness training course must be taken\nevery 3 years. NRC also provides an online IT security awareness course for system\nadministrators. All system administrators must take this training course before assuming their\nduties, and then every 3 years thereafter.\n\nNRC meets the Office of Personnel Management requirement to expose employees to security\nawareness materials at least annually by (1) mandating all NRC staff take annual IT security\nawareness training and by documenting who takes the annual training; (2) using posters, flyers,\nWeb pages, NRC Yellow Announcements,24 NRC Announcements, and articles/notices in the\nNRC monthly newsletter to keep computer security on everyone\xe2\x80\x99s mind throughout the year; and\n(3) by holding an Annual NRC Security Awareness Day event.\n\nThe agency is in the process of developing a computer security awareness and training program\nplan to fully implement the requirements outlined in OMB Circular A-130, Appendix III;\nFISMA; Management Directive and Handbook 12.5; and the Office of Personnel Management\xe2\x80\x99s\nfinal regulations concerning information technology security awareness.\n\nThe FY 2007 in-person security awareness training included a discussion of the dangers of peer-\nto-peer applications such as instant messaging. The installation of peer-to-peer software on NRC\ncomputers without explicit written approval of the NRC designated approving authority is\nprohibited. The agency provides a peer-to-peer frequently asked questions document on its\ninternal Web site.\n\n\n\n24\n      NRC Yellow Announcements (formerly Yellow Announcements) establish new policies, practices, or procedures;\n     introduce changes in policy, senior staff assignments, or organization; or address major agencywide events. These\n     announcements require signature and are retained as permanent records in the agency\xe2\x80\x99s document management\n     system.\n\n\n                                                           41\n\x0c                                                                               Independent Evaluation of\n                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\nFINDING M \xe2\x80\x93 Agency Lacks Procedures for Ensuring Employees With Significant IT\nSecurity Responsibilities Receive Security Training (Repeat Finding)\n\nWhile the agency meets the FISMA requirement to ensure all employees received IT security\nawareness training, the agency still has not met the requirement to provide specialized training\nfor employees with significant security responsibilities as described in NIST SP 800-16.\n\nThe FY 2005 FISMA independent evaluation found that the agency had difficulty in gathering\nthe information needed to report on (1) the total number of employees with significant IT\nsecurity responsibilities, (2) the number of those employees who have received specialized\ntraining, and (3) the total cost for providing IT training. At the time of the FY 2005 FISMA\nindependent evaluation, the agency\xe2\x80\x99s training system did not identify which employees have\nsignificant IT security responsibilities and what courses are considered related to IT security.\nThe agency\xe2\x80\x99s training system also did not account for any training the employees may have\ntaken on their own time.\n\nThe agency is working with NRC offices to identify employees and contractors with significant\nIT security responsibilities. The agency is also developing procedures for ensuring staff with\nsignificant IT security responsibilities are identified and receive security awareness training and\nthat the individual and associated training are properly documented and readily identifiable.\nAccording to the agency, the current target date for completing the recommendation from the FY\n2005 FISMA independent evaluation concerning security training for employees and contractors\nwith significant IT security responsibilities is August 31, 2008.\n\nRECOMMENDATION\n\n   The Office of the Inspector General recommends that the Executive Director for Operations:\n\n   14. Develop and implement procedures for ensuring employees and contractors with\n       significant IT security responsibilities are identified, receive security awareness and\n       training, and the individual and associated training are readily identifiable. This\n       recommendation replaces recommendation #10 from OIG-05-A-21, Independent\n       Evaluation of NRC\xe2\x80\x99s Implementation of FISMA for Fiscal Year 2005.\n\n3.11   E-Authentication Risk Assessments\n\n                            OMB Requirement                                       OIG Response\n 11. The agency has completed system e-authentication risk                   No\n assessments.\n\nIn December 2003, OMB issued memorandum M-04-04, E-Authentication Guidance for Federal\nAgencies. The guidance applies to remote authentication of users of Federal agency information\ntechnology systems for the purposes of conducting Government business electronically (or e-\nGovernment). Remote authentication occurs when users identify and authenticate to information\nsystems from outside of a specified security perimeter that is considered to offer sufficient\nprotection. Performing an e-authentication risk assessment can also assist agencies in\n\n\n                                                42\n\x0c                                                                               Independent Evaluation of\n                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\ndetermining the appropriate identification and authentication controls for their systems. In\naddition, the e-authentication initiative is the first reusable component of the Federal Enterprise\nArchitecture, the second e-Government cross-cutting initiative. Part of the Federal Enterprise\nArchitecture plan is that the vast majority of Federal systems incorporating authentication\nfunctions should migrate to support e-authentication over time.\n\nThe e-authentication risk assessment is also required to implement Part 2 FIPS 201-1, Personal\nIdentity Verification of Federal Employees and Contractors, dated March 2006. In accordance\nwith OMB M-05-24, Implementation of Homeland Security Presidential Directive (HSPD) 12 \xe2\x80\x93\nPolicy for a Common Identification Standard for Federal Employees and Contractors, dated\nAugust 5, 2005, in order to implement Part 2 of the standard, by October 27, 2006, all\ndepartments and agencies must begin deploying products and operational systems meeting\nspecific requirements, including the use of digital certificates. According to the OMB\nmemorandum, agencies must require the use of the identity credential for system access.\nAgencies must prioritize this requirement based on risk, using their authentication risk\nassessments required by previous OMB guidance and the categorization required by FIPS 199.\n\nWhile OMB M-04-04 only requires e-authentication risk assessments for e-Government systems,\nNRC requires e-authentication risk assessments for all agency systems that require security\ncategorizations. The e-authentication risk assessment is conducted during the security\ncategorization of a system.\n\nFINDING N \xe2\x80\x93 E-Authentication Risk Assessments Have Not Been Completed (Repeat\nFinding)\n\nThis is a repeat finding from the FY 2005 and FY 2006 FISMA independent evaluations. The\nFY 2005 FISMA independent evaluation also found that the six e-authentication risk assessments\nthat were completed at the time were incorrect and inconsistent with the systems\xe2\x80\x99 FIPS 199\nsecurity categorizations. The agency has completed all e-authentication risk assessments\nrequired under OMB M-04-04; however, the agency (1) has not completed e-authentication risk\nassessments for all agency systems in accordance with its own policy, and (2) has not completed\ntheir review and update of the six e-authentication risk assessments originally identified in FY\n2005 as having inaccuracies and inconsistencies. Only 15 of the 30 operational NRC\ninformation systems have completed e-authentication risk assessments. Only 5 of the 11\ncontractor systems have completed e-authentication risk assessments. According to the agency,\nthe target date for completing all e-authentication risk assessments was July 30, 2007. This\ntarget date was not met.\n\nNot only is the agency failing to meet the requirement to complete e-authentication risk\nassessments, the agency also cannot prioritize the HSPD-12 and FIPS 201-1 requirement to use\nthe identity credential for system access as not all systems have been categorized in accordance\nwith FIPS 199, and not all systems have completed their authentication risk assessments.\n\n\n\n\n                                                 43\n\x0c                                                                            Independent Evaluation of\n                                                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\nRECOMMENDATION\n\n  The Office of the Inspector General recommends that the Executive Director for Operations:\n\n  15. Develop and implement a plan for completing the remaining e-authentication risk\n      assessments. This plan should include the review and update of the remaining two e-\n      authentication risk assessments originally identified in FY 2005 as having inaccuracies\n      and inconsistencies. This recommendation replaces recommendations #8 and #9 from\n      OIG-05-A-21, Independent Evaluation of NRC\xe2\x80\x99s Implementation of FISMA for Fiscal\n      Year 2005.\n\n\n\n\n                                              44\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\n4      Consolidated List of Recommendations\n\nThe Office of the Inspector General recommends that the Executive Director for Operations:\n\n    1. Review and correct as needed all security categorizations so that they consistently reflect\n        the information types that reside on the systems.\n    2. Categorize all NRC major applications and general support systems in accordance with\n        FIPS 199. This recommendation replaces recommendation #1 from OIG-05-A-21,\n        Independent Evaluation of NRC\xe2\x80\x99s Implementation of FISMA for Fiscal Year 2005.\n    3. Conduct annual self-assessments in accordance with current OMB and NIST guidance.\n    4. For self-assessments conducted on systems without an approved security categorization,\n        include an explanation as to how the impact levels for confidentiality, integrity, and\n        availability were determined. This explanation should also include a discussion of any\n        changes to the impact levels (if any) from the previous year\xe2\x80\x99s self-assessment.\n    5. Develop and implement quality assurance procedures for self-assessments.\n    6. Develop and implement procedures to ensure contingency plans are tested annually,\n        regardless of the status of the systems\xe2\x80\x99 certification and accreditation. This\n        recommendation replaces recommendation #3 from OIG-05-A-21, Independent\n        Evaluation of NRC\xe2\x80\x99s Implementation of FISMA for Fiscal Year 2005.\n    7. Maintain documentation that demonstrates systems provided by other Federal agencies\n        meet FISMA requirements. This recommendation replaces recommendations #4, #5, and\n        #6 from OIG-05-A-21, Independent Evaluation of NRC\xe2\x80\x99s Implementation of FISMA for\n        Fiscal Year 2005.\n    8. Develop and implement procedures for performing oversight of major applications and\n        general support systems operated by a contractor or other organization on behalf of the\n        agency. This recommendation replaces recommendation #7 from OIG-05-A-21,\n        Independent Evaluation of NRC\xe2\x80\x99s Implementation of FISMA for Fiscal Year 2005.\n    9. Complete the updates to the security categorizations of the general support systems into\n        which the Network Continuity of Operations system components have been incorporated.\n        This recommendation replaces recommendation #2 from OIG-06-A-26, Independent\n        Evaluation of NRC\xe2\x80\x99s Implementation of FISMA for Fiscal Year 2006.\n    10. Develop and implement a methodology for identifying which listed systems reside on the\n        NRC network and which do not.\n    11. Develop and implement quality assurance procedures for POA&Ms.\n    12. Follow NIST guidance and only issue IATOs with documentation that includes accurate\n        identification of risks, risk mitigation plans, and security plans.\n    13. Develop and implement quality assurance procedures to ensure certification and\n        accreditation documentation is consistent with NIST guidance.\n    14. Develop and implement procedures for ensuring employees and contractors with\n        significant IT security responsibilities are identified, receive security awareness and\n        training, and the individual and associated training are readily identifiable. This\n        recommendation replaces recommendation #10 from OIG-05-A-21, Independent\n        Evaluation of NRC\xe2\x80\x99s Implementation of FISMA for Fiscal Year 2005.\n\n\n\n                                                45\n\x0c                                                                          Independent Evaluation of\n                                                           NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\n15. Develop and implement a plan for completing the remaining e-authentication risk\n    assessments. This plan should include the review and update of the remaining two e-\n    authentication risk assessments originally identified in FY 2005 as having inaccuracies\n    and inconsistencies. This recommendation replaces recommendations #8 and #9 from\n    OIG-05-A-21, Independent Evaluation of NRC\xe2\x80\x99s Implementation of FISMA for Fiscal\n    Year 2005.\n\n\n\n\n                                            46\n\x0c                                                                           Independent Evaluation of\n                                                            NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\n5      Agency Comments\n\nAt an exit conference with the agency held on September 17, 2007, the agency provided informal\nwritten comments and generally agreed with the report recommendations. The NRC Chief\nInformation Officer provided a formal response to this report on September 24, 2007. Appendix\nE contains the Chief Information Officer\xe2\x80\x99s transmittal letter. The agency\xe2\x80\x99s formal comments\nalong with OIG\xe2\x80\x99s analysis and response to those comments are included as Appendix F. This\nfinal report incorporates revisions made, where appropriate, in response to the agency\xe2\x80\x99s\ncomments.\n\n\n\n\n                                              47\n\x0c                                            Independent Evaluation of\n                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              48\n\x0c                                                                           Independent Evaluation of\n                                                            NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\nAppendix A.       SCOPE AND METHODOLOGY\n\nCarson Associates performed an independent evaluation of NRC\xe2\x80\x99s Implementation of FISMA\nfor FY 2007. To conduct the independent evaluation, the team met with agency staff responsible\nfor implementing the agency\xe2\x80\x99 information system security program, reviewed certification and\ndocumentation for the agency\xe2\x80\x99s operational information systems, and reviewed other\ndocumentation provided by the agency that demonstrated its implementation of FISMA.\n\nAll analyses were performed in accordance with guidance from the following:\n\n   \xe2\x80\xa2   National Institute of Standards and Technology standards and guidelines\n   \xe2\x80\xa2   Nuclear Regulatory Commission Management Directive and Handbook 12.5, NRC\n       Automated Information Security Program\n   \xe2\x80\xa2   NRC Office of the Inspector General audit guidance\n\nThis work was conducted between April 2007 and August 2007. Any information received from\nthe agency subsequent to the completion of fieldwork was incorporated when possible. The\nwork was conducted by Jane M. Laroussi, CISSP, and Kelby M. Funn, CISA, from Richard S.\nCarson and Associates, Inc.\n\n\n\n\n                                              49\n\x0c                                            Independent Evaluation of\n                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              50\n\x0c                                                                            Independent Evaluation of\n                                                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\nAppendix B.       STATUS OF CONTINGENCY PLAN TESTING\n\nThe following information on the status of contingency plan testing was obtained from the 3rd\nQuarter FY 2007 POA&Ms submitted by the agency to OMB and from working papers from the\nFY 2007 FISMA independent evaluation. Systems with contingency plans tested in FY 2007 are\nindicated by shading in the \xe2\x80\x9cLast CP Test Date\xe2\x80\x9d column. Systems with contingency plan testing\nscheduled for FY 2007, but which have not yet completed contingency plan testing, are indicated\nby shading in the \xe2\x80\x9cScheduled Test Date\xe2\x80\x9d column.\n\n                      Table B-1. Status of Contingency Plan Testing\n                          Last CP Test     Scheduled Test\n        System                                                             Comment\n                              Date             Date\n Agency Systems\n 3-Tier Web            Never tested       August 2008\n ADAMS                  August 16, 2004   November 25,\n                                          2007\n CTF                    June 29, 2004     November 30,        Last test was \xe2\x80\x9cinherited\xe2\x80\x9d from\n                                          2007                LAN/WAN.\n DCS                    April 29, 2004    July 30, 2007\n DDMS                   Between           Not yet\n                        6/28/07 and       scheduled\n                        7/25/07\n Desktops               June 29, 2004     June 2008           Last test was \xe2\x80\x9cinherited\xe2\x80\x9d from\n                                                              LAN/WAN.\n E-mail                June 29, 2004      Q4 FY 2009          Last test was \xe2\x80\x9cinherited\xe2\x80\x9d from\n                                                              LAN/WAN.\n EHD                    Never tested      June 30, 2007\n EIE                    April 6, 2006     Q1 FY 2009          Agency never approved test\n                                                              results from April 2006.\n ERDS                   August 2007       Not yet             August 2007-Headquarters,\n                                          scheduled           January 2007-Regions I and III,\n                                                              February 2007-Region IV,\n                                                              March 2007-Region III.\n Fees System            April 24, 2007    Not yet\n                                          scheduled\n GLTS                   May 13, 2004      Mid FY 2009\n\n\n\n\n                                              51\n\x0c                                                                     Independent Evaluation of\n                                                      NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\n                   Last CP Test      Scheduled Test\n       System                                                       Comment\n                       Date              Date\nHPCS-CDS/CFD     Never tested       Q1 FY 2009         Transitioning to a listed system,\n                                                       so a contingency plan would not\n                                                       be required after the transition.\n                                                       However, the planned transition\n                                                       to listed system has not\n                                                       occurred.\nHRMS             May 8, 2007        Not yet\n                                    scheduled\nIDSSD            June 29, 2004      Q2 FY 2008         Last test was \xe2\x80\x9cinherited\xe2\x80\x9d from\n                                                       LAN/WAN.\nIPSS             July 25, 2003      December 31,\n                                    2007\nLAN/WAN          May 10 and         December 2008      Testing was just for switches\n                 May 11, 2005                          and routers.\nLTS              May 18, 2004       Q1 FY 2009         Was to be retired by September\n                                                       30, 2005. As of the completion\n                                                       of fieldwork, the system had not\n                                                       been retired.\nMPKI             June 29, 2004      July 15, 2008      Last test was \xe2\x80\x9cinherited\xe2\x80\x9d from\n                                                       LAN/WAN.\nNovell Servers   June 29, 2004      August 30, 2008    Last test was \xe2\x80\x9cinherited\xe2\x80\x9d from\n                                                       LAN/WAN.\nNSICD            Never tested       Q2 FY 2008         This system does not have a\n                                                       contingency plan.\nOCIMS            June 19, 2006      September 30,\n                                    2007\nRAS              March 27, 2004     August 2008        This is another general support\n                                                       system that was broken out\n                                                       from the LAN/WAN.\n                                                       According to the agency, it was\n                                                       included with the continuity of\n                                                       operations testing performed in\n                                                       March 2004.\nRPS              July 9, 2007 and   Not yet\n                 July 13, 2007      scheduled\nSGI-LAN          Never tested \xe2\x80\x93     Not yet\n                 new system in      scheduled\n                 FY 2007\n\n\n\n\n                                       52\n\x0c                                                                           Independent Evaluation of\n                                                            NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\n                        Last CP Test      Scheduled Test\n        System                                                            Comment\n                            Date              Date\nTAC                   June 24, 2005       Q4 FY 2009         Planned transition to listed\n                                                             system (once HPCS moves to\n                                                             the production operating\n                                                             environment). Transition to\n                                                             listed system delayed until\n                                                             February 15, 2008.\nTelecommunications April 29, 2004         November 2008\nUnix Servers          Insufficient      Q4 FY 2009           This is another general support\n                      documentation                          system that was broken out\n                      to determine                           from the LAN/WAN.\n                      whether covered\n                      by previous tests\nWeb Servers           Insufficient        June 1, 2006       This is another general support\n                      documentation       (delayed,          system that was broken out\n                      to determine        completion date    from the LAN/WAN.\n                      whether covered     to be\n                      by previous tests   determined)\nWindows Servers       June 29, 2004       August 2009        Last test was \xe2\x80\x9cinherited\xe2\x80\x9d from\n                                                             LAN/WAN.\nContractor Systems\nCNWRA                 Unknown             Unknown\ne-QIP                 Unknown             Unknown\nFFS                   March 2007          March 2008\nFPDS-NG               Unknown             Unknown\nFPPS                  August 2007         August 2008\nINL                   Unknown             Unknown\nL3-EER                Unknown             Unknown\nLMIT                  Unknown             Unknown\nLSN                   April 27-28,        September 29,\n                      2006                2007\nNIH                   Unknown             Unknown\nSPS                   Unknown             Unknown\n\nADAMS                Agencywide Document Access and Management System\nCNWRA                Center for Nuclear Waste Regulatory Analyses\nCTF                  Consolidated Test Facility\nDCS                  Data Center Services\nDDMS                 Digital Data Management System\n\n\n                                             53\n\x0c                                                                       Independent Evaluation of\n                                                        NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\ne-QIP          Electronic Questionnaire for Investigations Processing\nEHD            Electronic Hearing Docket\nEIE            Electronic Information Exchange\nERDS           Emergency Response Data System\nFees System    A group of nine applications that support the collection of license fees\nFFS            Federal Financial System\nFPDS-NG        Federal Procurement Data Systems-Next Generation\nFPPS           Federal Personnel and Payroll System\nGLTS           General License Tracking System\nHPCS-CDS/CFD   High Performance Computing System \xe2\x80\x93 Code Development\n               System/Computational Fluid Dynamics System\nHRMS           Human Resources Management System\nIDSSD          Intrusion Detection System and Security Devices\nINL            Idaho National Laboratory\nIPSS           Integrated Personnel Security System\nL3-EER         L-3 Communications Corporation, Government Services, Inc.\nLAN/WAN        Local Area Network/Wide Area Network\nLMIT           Lockheed Martin Information Technology\nLSN            Licensing Support Network\nLTS            License Tracking System\nMPKI           Managed Public Key Infrastructure\nNIH            National Institutes of Health\nNSICD          NRC Systems Inventory and Configuration Database\nOCIMS          Operations Center Information Management System\nRAS            Remote Access System\nRPS            Reactor Program System\nSGI-LAN        Safeguards Local Area Network (also referred to as Secure LAN)\nSPS            Secure Payment System\nTAC            Technology Assessment Center\n\n\n\n\n                                        54\n\x0c                                                                               Independent Evaluation of\n                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\nAppendix C.          DETAILED POA&Ms ANALYSIS\n\nThe agency carried over a total of 33 program level and 172 system level weaknesses from FY\n2006 into FY 2007. The following tables provide statistics from the FY 2007 POA&Ms the\nagency has submitted to OMB for the 1st, 2nd, and 3rd quarters. These statistics reflect our\nanalysis of the POA&Ms and may differ from the actual metrics submitted to OMB.\n\n                              Table C-1. Program Level POA&M Statistics\n                                                                                          # For Start\n              # At Start of\n    Quarter                       # New    # Completed     # Ongoing      # Delayed         of Next\n                Quarter\n                                                                                           Quarter\n Q1                33               5           0             16              22               38\n Q2                38               2           9             17              14               31\n Q3               33 *              0           5              6              22               28\n*     Eight weaknesses were reported as closed in Q2 in error, but six of them were actually closed\n      in Q3, so they should not be counted at the start of the quarter since they were already\n      counted as closed in the previous quarter.\n\n                              Table C-2. System Level POA&Ms Statistics\n                                                                                          # For Start\n               # At Start of\n    Quarter                       # New    # Completed     # Ongoing      # Delayed         of Next\n                 Quarter\n                                                                                           Quarter\n Q1                172              32          4              56             144             200\n Q2                200              10          10             40             160             200\n Q3              201 **             1           37             37             128             165\n** Three weaknesses were reported as closed in Q2 in error, but two of them were actually\n   closed in Q3, so they should not be counted at the start of the quarter since they were already\n   counted as closed in the previous quarter.\n\nTable C-3 summarizes the total number of weaknesses included in the FY 2007 POA&Ms, the\ntotal number of corrective actions actually completed, the total number of corrective actions that\nare still ongoing, and the number of corrective actions whose completion has been delayed. The\nstatistics are based on Tables C-1 and C-2 above.\n\n\n\n\n                                                    55\n\x0c                                                                               Independent Evaluation of\n                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\n            Table C-3. Summary of FY 2007 POA&Ms Through the 3rd Quarter\n                       Total #          Total #          Total #          Total #            %\n                     Weaknesses        Completed        Ongoing           Delayed         Completed\n  Program Level           40               14               6                22              35%\n   System Level           215              51              37               128             23.7%\n\nIn the agency\xe2\x80\x99s 3rd Quarter FY 2007 FISMA update to OMB, the agency reported that up to 20\npercent of the weaknesses for various systems were closed this quarter. This is misleading\nbecause:\n\n   \xe2\x80\xa2   One of the three weaknesses reported as closed for a system was reported as closed in a\n       previous quarter.\n   \xe2\x80\xa2   Five of the eight weaknesses reported as closed for a system were related to updates to\n       the system\xe2\x80\x99s contingency plan. The five weaknesses were noted on the POA&M as\n       duplicates of another weakness and were closed. The updates to the contingency plan\n       were eventually completed, but not until after the five weaknesses had been reported as\n       closed.\n   \xe2\x80\xa2   All nine of the weaknesses reported as closed for a legacy system were closed because a\n       decision was made at the agency level not to continue with the certification and\n       accreditation of the system, which is undergoing modernization. Upon issuing the\n       system\xe2\x80\x99s IATO, the DAA decided not to require the system owner to continue\n       development of the contingency plan and security plan. The nine weaknesses were\n       closed as a result of this decision and not because the corrective actions to address the\n       weaknesses had been completed. The contingency plan for this system was eventually\n       updated and tested, but not until after the nine weaknesses had been reported as closed.\n   \xe2\x80\xa2   Four of the five weaknesses reported as closed for a system were reported as closed in\n       previous quarters.\n\n\n\n\n                                                56\n\x0c                                                                          Independent Evaluation of\n                                                           NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\nAppendix D.      FY 2007 OMB FISMA REPORTING TEMPLATE FOR IGs\n\nThis appendix contains the FY 2007 OMB FISMA Reporting Template for IGs (referred to by\nOMB as Section C) and the additional narrative that will be included in the agency\xe2\x80\x99s FISMA\nsubmission to OMB.\n\n\n\n\n                                             57\n\x0c                                                                                                                            Independent Evaluation of\n                                                                                                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\n                                                Section C - Inspector General: Questions 1 and 2\nAgency Name:          Nuclear Regulatory Commission                                                          Submission date:                 25-Sep-07\n                                                            Question 1: FISMA Systems Inventory\n\n1. As required in FISMA, the IG shall evaluate a representative subset of systems used or operated by an agency or by a contractor of an agency or other\norganization on behalf of an agency.\n\nIn the table below, identify the number of agency and contractor information systems, and the number reviewed, by component/bureau and FIPS 199\nsystem impact level (high, moderate, low, or not categorized). Extend the worksheet onto subsequent pages if necessary to include all\nComponent/Bureaus.\n\nAgency systems shall include information systems used or operated by an agency. Contractor systems shall include information systems used or operated by a\ncontractor of an agency or other organization on behalf of an agency. The total number of systems shall include both agency systems and contractor systems.\n\nAgencies are responsible for ensuring the security of information systems used by a contractor of their agency or other organization on behalf of their agency;\ntherefore, self reporting by contractors does not meet the requirements of law. Self-reporting by another Federal agency, for example, a Federal service\nprovider, may be sufficient. Agencies and service providers have a shared responsibility for FISMA compliance.\n\n                          Question 2: Certification and Accreditation, Security Controls Testing, and Contingency Plan Testing\n2. For the Total Number of Systems reviewed by Component/Bureau and FIPS System Impact Level in the table for Question 1, identify the number\nand percentage of systems which have: a current certification and accreditation, security controls tested and reviewed within the past year, and a\ncontingency plan tested in accordance with policy.\n\n                                                                     Question 1                                                       Question 2\n                                                  a.                     b.                   c.                    a.                      b.                c.\n                                            Agency Systems       Contractor Systems    Total Number of          Number of              Number of         Number of\n                                                                                          Systems            systems certified     systems for which systems for which\n                                                                                        (Agency and           and accredited        security controls contingency plans\n                                                                                         Contractor                                 have been tested have been tested\n                                                                                          systems)                                  and reviewed in in accordance with\n                                                                                                                                      the past year         policy\n\n\n                                                                                                  Total\n                      FIPS 199 System                  Number          Number   Total                         Total     Percent     Total     Percent     Total   Percent\nBureau Name                                Number              Number                            Number\n                      Impact Level                    Reviewed        Reviewed Number                        Number     of Total   Number     of Total   Number   of Total\n                                                                                                Reviewed\nNRC                   High                        4          0         0           0        4            0         1       25%           4      100%          0        0%\n                      Moderate                   11          1         4           0       15            1         5       33%          13       87%          7       47%\n                      Low                         0          0         1           0        1            0         1      100%           1      100%          0        0%\n                      Not Categorized            15          0         6           0       21            0         0        0%          18       86%          0        0%\n                      Sub-total                  30          1        11           0       41            1         7       17%          36       88%          7       17%\nComponent/Bureau      High                                                                  0            0\n                      Moderate                                                              0            0\n                      Low                                                                   0            0\n                      Not Categorized                                                       0            0\n                      Sub-total                   0          0          0          0        0            0          0                    0                    0\nComponent/Bureau      High                                                                  0            0\n                      Moderate                                                              0            0\n                      Low                                                                   0            0\n                      Not Categorized                                                       0            0\n                      Sub-total                   0          0          0          0        0            0          0                    0                    0\nComponent/Bureau      High                                                                  0            0\n                      Moderate                                                              0            0\n                      Low                                                                   0            0\n                      Not Categorized                                                       0            0\n                      Sub-total                   0          0          0          0        0            0          0                    0                    0\nComponent/Bureau      High                                                                  0            0\n                      Moderate                                                              0            0\n                      Low                                                                   0            0\n                      Not Categorized                                                       0            0\n                      Sub-total                   0          0          0          0        0            0          0                    0                    0\nComponent/Bureau      High                                                                  0            0\n                      Moderate                                                              0            0\n                      Low                                                                   0            0\n                      Not Categorized                                                       0            0\n                      Sub-total                   0          0         0           0        0            0          0                     0                   0\nAgency Totals         High                        4          0         0           0        4            0          1      25%            4     100%          0        0%\n                      Moderate                   11          1         4           0       15            1          5      33%           13      87%          7       47%\n                      Low                         0          0         1           0        1            0          1     100%            1     100%          0        0%\n                      Not Categorized            15          0         6           0       21            0          0       0%           18      86%          0        0%\n                      Total                      30          1        11           0       41            1          7      17%           36      88%          7       17%\n\n\n\n\n                                                                                  58\n\x0c                                                                                                               Independent Evaluation of\n                                                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\n                                             Section C - Inspector General: Question 3\nAgency Name:   Nuclear Regulatory Commission\n               Question 3: Evaluation of Agency Oversight of Contractor Systems and Quality of Agency System Inventory\n\n      3.a.     The agency performs oversight and evaluation to ensure information systems used or operated by a\n               contractor of the agency or other organization on behalf of the agency meet the requirements of\n               FISMA, OMB policy and NIST guidelines, national security policy, and agency policy.\n\n               Agencies are responsible for ensuring the security of information systems used by a contractor of their\n               agency or other organization on behalf of their agency; therefore, self reporting by contractors does not meet\n               the requirements of law. Self-reporting by another Federal agency, for example, a Federal service provider,\n               may be sufficient. Agencies and service providers have a shared responsibility for FISMA compliance.           Mostly (81-95% of the time)\n\n               Response Categories:\n                - Rarely- for example, approximately 0-50% of the time\n                - Sometimes- for example, approximately 51-70% of the time\n                - Frequently- for example, approximately 71-80% of the time\n                - Mostly- for example, approximately 81-95% of the time\n                - Almost Always- for example, approximately 96-100% of the time\n\n               The agency has developed a complete inventory of major information systems (including major\n      3.b.     national security systems) operated by or under the control of such agency, including an\n               identification of the interfaces between each such system and all other systems or networks,\n               including those not operated by or under the control of the agency.\n                                                                                                                             Inventory is 81-95%\n               Response Categories:                                                                                          complete\n                - The inventory is approximately 0-50% complete\n                - The inventory is approximately 51-70% complete\n                - The inventory is approximately 71-80% complete\n                - The inventory is approximately 81-95% complete\n                - The inventory is approximately 96-100% complete\n      3.c.     The IG generally agrees with the CIO on the number of agency-owned systems. Yes or No.                                    Yes\n               The IG generally agrees with the CIO on the number of information systems used or operated by a\n      3.d.                                                                                                                               Yes\n               contractor of the agency or other organization on behalf of the agency. Yes or No.\n      3.e.     The agency inventory is maintained and updated at least annually. Yes or No.                                              Yes\n\n               If the Agency IG does not evaluate the Agency\'s inventory as 96-100% complete, please identify the known missing systems by\n      3.f.     Component/Bureau, the Unique Project Identifier (UPI) associated with the system as presented in your FY2008 Exhibit 53 (if\n               known), and indicate if the system is an agency or contractor system.\n                                                                                                                                 Agency or\n                                                                                                 Exhibit 53 Unique Project\n                         Component/Bureau                           System Name                                                  Contractor\n                                                                                                      Identifier (UPI)\n                                                                                                                                  system?\n\n\n\n\n               Number of known systems missing\n               from inventory:\n\n\n\n\n                                                                       59\n\x0c                                                                                                                       Independent Evaluation of\n                                                                                                        NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\n                                                Section C - Inspector General: Questions 4 and 5\nAgency Name: Nuclear Regulatory Commission\n                                   Question 4: Evaluation of Agency Plan of Action and Milestones (POA&M) Process\nAssess whether the agency has developed, implemented, and is managing an agency-wide plan of action and milestones (POA&M) process.\nEvaluate the degree to which each statement reflects the status in your agency by choosing from the responses provided. If appropriate or\nnecessary, include comments in the area provided.\n\nFor each statement in items 4.a. through 4.f., select the response category that best reflects the agency\'s status.\n\nResponse Categories:\n - Rarely- for example, approximately 0-50% of the time\n - Sometimes- for example, approximately 51-70% of the time\n - Frequently- for example, approximately 71-80% of the time\n - Mostly- for example, approximately 81-95% of the time\n - Almost Always- for example, approximately 96-100% of the time\n                  The POA&M is an agency-wide process, incorporating all known IT security weaknesses\n       4.a.       associated with information systems used or operated by the agency or by a contractor of the       Almost Always (96-100% of the time)\n                  agency or other organization on behalf of the agency.\n                  When an IT security weakness is identified, program officials (including CIOs, if they own or\n       4.b.                                                                                                          Almost Always (96-100% of the time)\n                  operate a system) develop, implement, and manage POA&Ms for their system(s).\n                  Program officials and contractors report their progress on security weakness remediation to the\n       4.c.                                                                                                       Almost Always (96-100% of the time)\n                  CIO on a regular basis (at least quarterly).\n\n                  Agency CIO centrally tracks, maintains, and reviews POA&M activities on at least a quarterly\n       4.d.                                                                                                          Almost Always (96-100% of the time)\n                  basis.\n\n       4.e.       IG findings are incorporated into the POA&M process.                                               Almost Always (96-100% of the time)\n\n                  POA&M process prioritizes IT security weaknesses to help ensure significant IT security\n       4.f.                                                                                                          Almost Always (96-100% of the time)\n                  weaknesses are addressed in a timely manner and receive appropriate resources.\n                  POA&M process comments: NRC has two primary tools for tracking IT security weaknesses. At a high level, NRC uses the POA&Ms\n                  required by OMB to track (1) corrective actions from the OIG annual independent evaluation, (2) corrective actions from the agency\xe2\x80\x99s\n                  annual review, and (3) recurring FISMA and IT security action items such as annual self-assessments and annual contingency plan\n                  testing. The POA&Ms may also include corrective actions resulting from other security studies conducted by or on behalf of NRC. The\n                  more specific corrective actions associated with the certification and accreditation process (e.g., corrective actions resulting from risk\n                  assessments and security test and evaluation) are tracked in Rational ClearQuest as change requests using the project management\n                  methodology process for change management.\n                                        Question 5: IG Assessment of the Certification and Accreditation Process\nProvide a qualitative assessment of the agency\'s certification and accreditation process, including adherence to existing policy, guidance, and\nstandards. Provide narrative comments as appropriate.\n\nAgencies shall follow NIST Special Publication 800-37, "Guide for the Security Certification and Accreditation of Federal Information Systems" (May 2004) for\ncertification and accreditation work initiated after May 2004. This includes use of the FIPS 199, "Standards for Security Categorization of Federal Information\nand Information Systems" (February 2004) to determine a system impact level, as well as associated NIST document used as guidance for completing risk\nassessments and security plans.\n\n                  The IG rates the overall quality of the Agency\'s certification and accreditation process as:\n\n                  Response Categories:\n                   - Excellent\n       5.a.                                                                                                          Failing\n                   - Good\n                   - Satisfactory\n                   - Poor\n                   - Failing\n\n                  The IG\'s quality rating included or considered the following aspects of the C&A process: Security plan                          X\n                  (check all that apply)\n                                                                                                               System impact level                X\n                                                                                                               System test and evaluation         X\n                                                                                                               Security control testing           X\n       5.b.\n                                                                                                               Incident handling\n                                                                                                               Security awareness training\n                                                                                                               Configurations/patching            X\n                                                                                                               Other: Risk Asssessment          X\n                  C&A process comments: Indicent handling and security awareness training were evaluated at the agency level. For more details on\n                  the agency\'s certification and accreditation process, see attached narrative, pages 4 and 5.\n\n\n\n\n                                                                               60\n\x0c                                                                                                              Independent Evaluation of\n                                                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\n                                             Section C - Inspector General: Questions 6 and 7\nAgency Name: Nuclear Regulatory Commission\n                     Question 6: IG Assessment of Agency Privacy Program and Privacy Impact Assessment (PIA) Process\n\n             Provide a qualitative assessment of the agency\'s Privacy Impact Assessment (PIA)\n     6.a.\n             process, as discussed in Section D II.4 (SAOP reporting template), including adherence\n             to existing policy, guidance, and standards.\n\n             Response Categories:\n              - Response Categories:                                                                                       Excellent\n              - Excellent\n              - Good\n              - Satisfactory\n              - Poor\n              - Failing\n             Comments:\n\n\n\n\n             Provide a qualitative assessment of the agency\'s progress to date in implementing the\n     6.b.    provisions of M-06-15, "Safeguarding Personally Identifiable Information" since the most\n             recent self-review, including the agency\'s policies and processes, and the administrative,\n             technical, and physical means used to control and protect personally identifiable\n             information (PII).\n\n             Response Categories:                                                                                         Excellent\n              - Response Categories:\n              - Excellent\n              - Good\n              - Satisfactory\n              - Poor\n              - Failing\n             Comments:\n\n\n\n\n                                                        Question 7: Configuration Management\n\n             Is there an agency-wide security configuration policy? Yes or No.                                               Yes\n     7.a.\n             Comments:\n\n\n\n\n             Approximate the extent to which applicable information systems apply common security\n     7.b.    configurations established by NIST.\n\n             Response categories:\n              -   Rarely- for example, approximately 0-50% of the time\n                                                                                                          Rarely (0-50% of the time)\n              -   Sometimes- for example, approximately 51-70% of the time\n              -   Frequently- for example, approximately 71-80% of the time\n              -   Mostly- for example, approximately 81-95% of the time\n              -   Almost Always- for example, approximately 96-100% of the time\n\n\n\n\n                                                                             61\n\x0c                                                                                                                           Independent Evaluation of\n                                                                                                            NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\n                                             Section C - Inspector General: Questions 8, 9, 10 and 11\nAgency Name: Nuclear Regulatory Commission\n                                                                  Question 8: Incident Reporting\nIndicate whether or not the agency follows documented policies and procedures for reporting incidents internally, to US-CERT, and to law\nenforcement. If appropriate or necessary, include comments in the area provided below.\n\n                   The agency follows documented policies and procedures for identifying and reporting\n       8.a.                                                                                                                                   Yes\n                   incidents internally. Yes or No.\n                   The agency follows documented policies and procedures for external reporting to US-\n       8.b.                                                                                                                                   Yes\n                   CERT. Yes or No. (http://www.us-cert.gov)\n                   The agency follows documented policies and procedures for reporting to law\n       8.c.                                                                                                                                   Yes\n                   enforcement. Yes or No.\n                   Comments:\n\n\n\n\n                                                            Question 9: Security Awareness Training\nHas the agency ensured security awareness training of all employees, including contractors and those\nemployees with significant IT security responsibilities?\n\nResponse Categories:\n - Rarely- or approximately 0-50% of employees                                                                           Almost Always (96-100% of employees)\n - Sometimes- or approximately 51-70% of employees\n - Frequently- or approximately 71-80% of employees\n - Mostly- or approximately 81-95% of employees\n - Almost Always- or approximately 96-100% of employees\n                                                              Question 10: Peer-to-Peer File Sharing\nDoes the agency explain policies regarding peer-to-peer file sharing in IT security awareness training,\n                                                                                                                                              Yes\nethics training, or any other agency wide training? Yes or No.\n                                                       Question 11: E-Authentication Risk Assessments\nThe agency has completed system e-authentication risk assessments. Yes or No.                                                                  No\nWhile OMB M-04-04 only requires e-authentication risk assessments for e-Government systems, NRC requires e-authentication risk assessments for all agency systems that\nrequire security categorizations. The e-authentication risk assessment is conducted during the security categorization of a system. The agency has completed all e-\nauthentication risk assessments required under OMB M-04-04; however, the agency has not completed e-authentication risk assessments for all agency systems in accordance\nwith its own policy.\n\n\n\nThe following supplemental information is provided in support of the FY 2007 Office of\nManagement and Budget (OMB) Federal Information Security Management Act (FISMA)\nReporting Template for Inspectors General for the Nuclear Regulatory Commission (NRC). The\nindependent evaluation of NRC\xe2\x80\x99s implementation of FISMA for FY 2007 was conducted by\nRichard S. Carson and Associates, Inc. (Carson Associates) on the behalf of the NRC Office of\nthe Inspector General (OIG).\n\nQuestion 1a. NRC has a total of 3025 operational systems that fall under FISMA reporting\nrequirements.26 Of the 30, 17 are general support systems, and 13 are major applications. As\nrequired by FISMA, Carson Associates selected a subset of NRC systems for evaluation during\nthe FY 2007 FISMA independent evaluation. However, only one of the three systems that were\nselected had a current certification and accreditation. While an additional system completed\ncertification and accreditation in July 2007, it was after the cutoff date established at the entrance\nconference, and was therefore not considered for evaluation. As there were no other systems\n\n\n25\n    The agency reports 31 operational systems. The OIG disagrees with the agency that an OIG system is a major\n   application. It has been categorized as a listed system since it began operations in 2004. This designation is\n   presently under a detailed review. Therefore, the metrics submitted by the OIG reflect a total of 30 operational\n   systems.\n26\n    NRC also has a number of major applications and general support systems currently in development. For FISMA\n   reporting purposes, only operational systems are considered.\n\n\n                                                                                  62\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\nwith a current certification and accreditation to consider for evaluation, Carson Associates\nevaluated only one agency system for the FY 2007 FISMA independent evaluation.\n\nQuestion 1.b. NRC has a total of 11 systems operated by a contractor or other organization on\nbehalf of the agency (8 major applications and 3 general support systems). Of the 11, 6 are\noperated by other Federal agencies, 2 are operated by federally funded research and development\ncenters, and 3 are operated by private contractors. NRC is responsible for direct oversight for\nfour of these systems. Oversight of the remaining seven systems is the responsibility of the\nFederal agency operating the system. Therefore, the OIGs of those agencies would be\nresponsible for evaluating those systems.\n\nAs required by FISMA, Carson Associates selected a subset of the contractor systems for which\nNRC is responsible for direct oversight for evaluation during the FY 2007 FISMA independent\nevaluation. However, the system selected did not have a current certification and accreditation,\nand none of the other contractor systems for which NRC is responsible for direct oversight had a\ncurrent certification and accreditation. Therefore, Carson Associates did not evaluate any\ncontractor systems for the FY 2007 FISMA independent evaluation.\n\nQuestion 2. The metrics in Question 2 represent the status for all NRC systems, not just the\nsubset that was chosen for evaluation in FY 2007.\n\nQuestion 2.a. Only two agency systems are certified and accredited, and only five systems\noperated by a contractor or other organization on behalf of the agency are certified and\naccredited. NRC is still developing procedures for maintaining documentation that demonstrates\nsystems provided by other Federal agencies meet FISMA requirements and that other contractor\nsystems are certified and accredited.\n\nIn accordance with OMB requirements, it constitutes a significant deficiency that only 2 of the\n30 operational NRC information systems have a current certification and accreditation and only\n5 of the 11 systems used or operated by a contractor or other organization on behalf of the\nagency have a current certification and accreditation.\n\nSubsequent to the completion of fieldwork, the agency reported that two additional agency\nsystems have also been certified and are currently under review by the agency\xe2\x80\x99s designated\napproving authority for consideration of an ATO.\n\nQuestion 2.b. NRC meets the FISMA requirement to test and evaluate the security controls of\nagency information system on an annual basis by performing annual self-assessments of the\nsecurity controls of all agency and contractor systems. NRC performed self-assessments of the\nsecurity controls for 28 of the agency\xe2\x80\x99s 30 operational systems. The agency chose not to\nperform a self-assessment of the OIG system discussed earlier, as that system\xe2\x80\x99s status as a major\napplication is still under determination. As the other two agency operational systems were just\ncertified and accredited in FY 2007, the agency did not perform an additional self-assessment of\nthose systems as permitted by OMB and National Institute of Standards and Technology (NIST)\nguidance. The agency also included the physical and environmental controls of the four NRC\nregional offices and the NRC Technical Training Center in one self-assessment.\n\n\n\n                                                63\n\x0c                                                                               Independent Evaluation of\n                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\n\n\nNRC is required to perform self-assessments only on those contractor systems for which it has\ndirect oversight. Self-assessments for the remaining contractor systems are the responsibility of\nthe Federal agencies that operate those systems. NRC performed a self-assessment of one of the\nfour contractor systems for which it has direct oversight. As two of the four contractor systems\nfor which NRC has direct oversight are considered to be sub-components of the NRC\nLAN/WAN, only the physical and environmental controls and the personnel security controls\nwere evaluated for these systems. The results were incorporated into the self-assessment for one\nof the agency\xe2\x80\x99s general support systems. The fourth contactor system for which the agency has\ndirect oversight was expected to be certified and accredited in FY 2007, so the agency did not\nconduct a separate self-assessment for this system. However, the certification and accreditation\nwas not expected to be completed prior to the submission of this report, so it was not originally\nincluded in the total number of contractor systems for which security controls have been tested\nand evaluated in the past year. Subsequent to the completion of fieldwork, the agency completed\ncertification and accreditation of this system, and the system was granted an ATO.\n\nFor the seven contractor systems that are operated by other Federal agencies, NRC\xe2\x80\x99s policy is to\nconfirm with the owner agencies that annual security control testing and evaluation has been\ncompleted. As two of the Federal contractor systems were just certified and accredited in FY\n2007, these two systems were included in the total number of contractor systems for which\nsecurity controls have been tested and evaluated. The agency has not obtained confirmation\nfrom the owner agencies of the other five contractor systems operated by other Federal agencies\nthat annual security control testing and evaluation has been completed. Subsequent to the\ncompletion of fieldwork, the agency provided a certification memorandum for one of the Federal\ncontractor systems that indicates security control testing and evaluation for the system was\ncompleted in FY 2007. However, the agency could not demonstrate that this system has been\naccredited (and therefore, that the designated approving authority for that system approved the\ntesting and evaluation). Therefore, it was not included in the total number of contractor systems\nfor which security controls have been tested and evaluated in the past year.\n\nThe agency did not use NIST Special Publication (SP) 800-53A, Guide for Assessing the\nSecurity Controls in Federal Information Systems, for the annual assessment of security control\neffectiveness, but instead used the methodology described in NIST SP 800-26, Security Self-\nAssessment Guide for Information Technology Systems. Carson Associates also found that self-\nassessments were not always based on an approved security categorization and that self-\nassessments contained errors and inconsistencies.\n\nQuestion 2.c. Only five agency systems and one contractor system has had its contingency plan\ntested in the past year. Subsequent to the completion of fieldwork, the agency provided\ndocumentation demonstrating that contingency plan testing was conducted for another contractor\nsystem; however, the agency has not yet received the test results report. NRC is still developing\nprocedures for maintaining documentation that demonstrates systems provided by other Federal\nagencies meet FISMA requirements (including annual contingency plan testing).\n\nIn accordance with OMB requirements, the fact that the agency has failed to conduct annual\ncontingency plan testing for all systems for the past 3 years constitutes a significant deficiency.\n\n\n\n                                                 64\n\x0c                                                                                          Independent Evaluation of\n                                                                           NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\n\n\nQuestion 3.a. NRC presumes that the Federal agencies that operate 7 of the 11 contractor\nsystems are also following FISMA and guidelines from NIST. The agency has been working\nwith the offices to assist in acquiring the required documentation for systems provided by other\nFederal agencies. However, according to the agency, some of the other Federal agencies have\nbeen unwilling to provide documentation that demonstrates they meet FISMA requirements.\nThe other Federal agencies have also been unwilling to share copies of their annual self-\nassessments or results from their annual contingency plan testing. The OIG stated that a\nmemorandum from the Federal agencies stating that annual self-assessments and annual\ncontingency plan testing have been completed would be sufficient to meet the intent of the\nrecommendations from the FY 2005 FISMA independent evaluation regarding this finding. The\nagency is currently working towards obtaining such memoranda. As of September 1, 2007, the\nagency had received certification and accreditation memoranda for only four of the seven\nsystems provided by or operated by other Federal agencies. Due to the current focus on the\ncertification and accreditation phase of systems and scarcity of resources, the anticipated\ncompletion date to receive the rest of the required documentation for systems provided by or\noperated by other Federal agencies is December 31, 2007.\n\nQuestion 3.b. While FISMA requires agencies to maintain an inventory only of major\ninformation systems (major applications and general support systems), NRC also tracks two\nother system types in its inventories \xe2\x80\x93 listed27 and other.28 To address findings from the FY 2005\nFISMA independent evaluation regarding the agency\xe2\x80\x99s inventory, OIS developed a new\ncentralized system for tracking NRC information systems. Data from various databases were\ncompared, and any differences were resolved. The new system was then updated with data from\nbiannual data calls, starting in September 2006. The new system continues to be updated with\nsubsequent data calls. The agency also developed several procedures and guides to assist NRC\noffices with the biannual data call and to assist the agency in maintaining the inventory data in\nthe new system.\n\nCarson Associates found small discrepancies between the inventory of major applications,\ngeneral support systems, and contractor systems reported in the metrics to OMB, and the actual\ncontents of the agency\xe2\x80\x99s new inventory system. The agency has been made aware of these minor\ndiscrepancies and is working to correct them. Carson Associates also found that the agency is\nstill in the process of populating the new inventory system with information on interfaces\nbetween systems. The agency is also still working to complete one recommendation from the\nFY 2006 FISMA independent evaluation regarding the classification of the agency\xe2\x80\x99s Network\nContinuity of Operations (COOP) system. This system was categorized as a listed system, when\nit should have been categorized as a general support system. The agency has incorporated the\ncomponents of the COOP system into existing infrastructure general support systems, and is no\nlonger tracking the COOP system as an individual system. The agency has updated the security\n27\n    Listed systems are computerized information systems or applications that (1) processes sensitive information\n   requiring additional security protections and (2) may be important to an NRC office\xe2\x80\x99s or region\xe2\x80\x99s operations, but\n   which are not a major application or general support system when viewed from an agency perspective. Sensitive\n   data may include individual Privacy Act information, law enforcement sensitive information, sensitive contractual\n   and financial information, safeguards, and classified information.\n28\n    Other systems are NRC systems that do not require additional security protections and are adequately protected by\n   the security provided by the NRC local area network/wide area network.\n\n\n                                                         65\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\ncategorization documents for four general support systems to incorporate the appropriate COOP\ncomponents, but they have not all been approved by the Senior Agency Information Security\nOfficer.\n\nQuestion 4. While the agency\xe2\x80\x99s POA&M process is adequate, the agency has made minimal\nprogress in correcting weaknesses reported on its POA&Ms. The agency has corrected 35\npercent of its program level weaknesses, and 23.7 percent of its system level weaknesses. This is\nonly a slight improvement over FY 2006. The majority of delays have been caused by delays in\ncompleting certifications and accreditations. Carson Associates also found that the quality of the\nagency\xe2\x80\x99s POA&Ms needs improvement.\n\nQuestion 5.a. To correct weaknesses identified by the FY 2005 and FY 2006 FISMA\nindependent evaluations by the NRC OIG, and to address findings from the agency\xe2\x80\x99s own\nevaluation, the agency has refocused its information system security program. Under the\nrefocused program, the agency proposed performing certification and accreditation of systems\nthat are a high priority from a mission perspective and others that potentially pose a higher\nsecurity risk (e.g., agency systems that communicate with systems outside the NRC network).\nThe first certification and accreditation schedule under the refocused program was issued in\nFebruary 2006. This schedule has changed several times since February 2006.\n\nThe first phase of the refocused program included the development of a new certification and\naccreditation process, which has been finalized. The agency has finalized the templates for all\ncertification and accreditation documents as well as instructions for completing the templates.\nThe updated certification and accreditation process was also integrated into the agency\xe2\x80\x99s new\nproject management methodology. One of the agency\xe2\x80\x99s operational major applications was\nchosen to \xe2\x80\x9cpilot\xe2\x80\x9d the new process and documentation standards, in part, to ensure the new\nprocess is repeatable.\n\nEven with the new certification and accreditation process, the refocused information system\nsecurity program, and the award of a multi-year, multi-million dollar contract to provide the\nagency with consolidated information system security services, the agency has completed\ncertification and accreditation of only two agency systems and one contractor system for which\nthe agency has direct oversight in the past 2 years. In the meantime, the certifications and\naccreditations for all of the agency\xe2\x80\x99s remaining 28 operational systems have expired.\n\nAs stated previously, it constitutes a significant deficiency that only 2 of the 30 operational NRC\ninformation systems have a current certification and accreditation and only 5 of the 11 systems\nused or operated by a contractor or other organization on behalf of the agency have a current\ncertification and accreditation.\n\nWe rated the overall quality of the agency\xe2\x80\x99s certification and accreditation process as failing\nbecause the agency has completed the certification and accreditation of only two agency systems\nand one contractor system for which the agency has direct oversight in the past 2 years. The\nfailing rating does not necessarily reflect the actual quality of the process itself. Carson\nAssociates could not perform a complete evaluation of the agency\xe2\x80\x99s new certification and\naccreditation process, as only two systems had completed certification and accreditation under\n\n\n\n                                                66\n\x0c                                                                             Independent Evaluation of\n                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\nthe new process at the time of our evaluation. Based on the certification and accreditation\ndocuments we did review, we found that the agency\xe2\x80\x99s certification and accreditation process is\ninconsistent with NIST guidance.\n\nQuestion 9. NRC ensures all employees and contractors receive security awareness and\ntraining. However, the agency still has not met the requirement to provide specialized training\nfor employees with significant security responsibilities as described in NIST SP 800-16,\nInformation Technology Security Training Requirements: A Role- and Performance-Based\nMode. The agency is still working with NRC offices to identify employees and contractors with\nsignificant IT security responsibilities. The agency is also still developing procedures for\nensuring staff with significant IT security responsibilities are identified and receive security\nawareness training and that the individual and associated training are properly documented and\nreadily identifiable.\n\nQuestion 11. While OMB M-04-04, E-Authentication Guidance for Federal Agencies, only\nrequires e-authentication risk assessments for e-Government systems, NRC requires\ne-authentication risk assessments for all agency systems that require security categorizations.\nThe e-authentication risk assessment is conducted during the security categorization of a system.\nThe agency has completed all e-authentication risk assessments required under OMB M-04-04;\nhowever, the agency has not completed e-authentication risk assessments for all agency systems\nin accordance with its own policy. Only 15 of the 30 operational NRC information systems have\ncompleted e-authentication risk assessments. Only 5 of the 11 contractor systems have\ncompleted e-authentication risk assessments. According to the agency, the target date for\ncompleting all e-authentication risk assessments was July 30, 2007. This target date was not\nmet.\n\n\n\n\n                                               67\n\x0c                                            Independent Evaluation of\n                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              68\n\x0c                                                       Independent Evaluation of\n                                        NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\nAppendix E.   MEMORANDUM TRANSMITTING AGENCY RESPONSE\n\n\n\n\n                               69\n\x0c                                            Independent Evaluation of\n                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              70\n\x0c                                                                               Independent Evaluation of\n                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\nAppendix F.        FORMAL AGENCY COMMENTS AND DETAILED OIG ANALYSIS\n                   OF AGENCY COMMENTS\n\nAt an exit conference with the agency held on September 17, 2007, the agency provided informal\nwritten comments and generally agreed with the report recommendations. The NRC Chief\nInformation Officer provided a formal response to this report on September 24, 2007. Appendix\nE contains the Chief Information Officer\xe2\x80\x99s transmittal letter. This appendix contains the\nagency\xe2\x80\x99s formal comments along with OIG\xe2\x80\x99s analysis and response to those comments. NRC\xe2\x80\x99s\ncomments are presented in their entirety and appear in italics, followed by the OIG analysis of\nthe comments. This final report incorporates revisions made, where appropriate, in response to\nthe agency\xe2\x80\x99s comments.\n\nGeneral Comments\n\nCredit is not given in the \xe2\x80\x9cResults in Brief\xe2\x80\x9d section for the positive finding with respect to how\nthe agency is managing Privacy and PII information. We request this section include these\npositive results.\n\nThe report was modified to note the agency\xe2\x80\x99s progress in managing Privacy and PII information.\n\nComments on Recommendations\n\n1. Staff believes Security Categorizations are correct based on the information in their systems.\n   Staff is not aware of a requirement that the information type listed in the Security\n   Categorization has to match the Exhibit 53.\n\nThe report was not modified. While it is true that there is no requirement that the information\ntype listed in the Security Categorization has to match the Exhibit 53, it is implied by the process\ndescribed in NIST SP 800-60 Volume I. The methodology described in NIST SP 800-60\nVolume I includes:\n\n   \xe2\x80\xa2   Identifying the fundamental business areas (management and support) or mission areas\n       (mission-based) supported by the system under review.\n   \xe2\x80\xa2   Identifying for each business or mission area the areas of operations or lines of business\n       that describe the purpose of the system in functional terms.\n   \xe2\x80\xa2   Identifying the sub-functions necessary to carry out each area of operation or line of\n       business.\n   \xe2\x80\xa2   Selecting the basic information types associated with the identified sub-functions.\n\nThe Exhibit 53 is the primary source for the business area, line of business, sub-function, and\ninformation type.\n\n   Additionally, staff does not believe any system has an inappropriate categorization because\n   the information type in the Security Categorization (Sec Cat) does not match the Exhibit 53.\n\n\n\n\n                                                 71\n\x0c                                                                               Independent Evaluation of\n                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\nThe report was not modified. While it may be true that the overall system categorizations\nthemselves are appropriate (i.e., the systems are correctly identified as low-, moderate-, or high-\nimpact systems), it is still important to correctly identify the information types that lead to that\nsecurity categorization. NIST will be updating NIST SP 800-60 in the next few months. The\ncorrect information types need to be identified so that the agency can review the modifications\nNIST makes to those information types in NIST SP 800-60 to see if the changes have any impact\non the security categorizations.\n\n2. NRC does not perform Sec Cats on other federal agencies\xe2\x80\x99 systems, but performs Sec Cats on\n   the NRC information that is being processed on those other agencies\xe2\x80\x99 systems. This is the\n   only documentation NRC has to understand what NRC information is being placed on those\n   systems. NRC uses the results of the Sec Cat performed on our information to ensure the\n   security level of the hosting system meets NRC\xe2\x80\x99s requirements. We request that this\n   discussion leading up to the recommendation be deleted.\n\nThe report was modified and the discussion of performing security categorizations of other\nFederal agencies\xe2\x80\x99 systems was removed as a cause for Finding B. However, it should be noted\nthat while the agency\xe2\x80\x99s explanation for why they performed security categorizations of other\nFederal agencies\xe2\x80\x99 systems is reasonable, this rationale is not clearly reflected in the security\ncategorizations. The security categorizations that NRC performed on the other Federal agencies\xe2\x80\x99\nsystems give no indication that the focus was just on the NRC information that is being\nprocessed on that other agencies\xe2\x80\x99 systems, or that the focus was just on the interface with the\nother agencies\xe2\x80\x99 systems.\n\n3. Staff believes the self assessments were consistent with the guidance in the Fiscal Year 2006\n   Federal Information Security Management Act reporting guideline (OMB-M-06-20) which\n   states that National Institute of Standards and Technology (NIST) Special Publication (SP)\n   800-53a, Guide for Assessing the Security Controls in Federal Information Systems, is to be\n   used for the assessment. NRC used the NIST SP 800-53a criteria in completing the self\n   assessments. NIST SP 800-53a provides a short sample reporting template for illustrative\n   purposes that is geared towards Security Test and Evaluation. An agency may use choose to\n   use another format (page 373). NRC used the NIST SP 800-26, Security Self-Assessment\n   Guide for Information Technology Systems, format, which also agrees with the agency\n   assessment reporting format as shown in NIST SP 800-100, Information Security Handbook:\n   A Guide for Managers. While NRC used the NIST SP 800-26 reporting format, we changed\n   all of the data elements to capture all of the security controls listed in NIST SP 800-53 Rev.\n   1, Recommended Security Controls for Federal Information Systems, and we evaluated our\n   controls against NIST SP 800-53a criteria. We believe that a review of the controls used in\n   the self assessments will show that the NIST SP 800-53a controls were the basis for the self\n   assessments.\n\nThe report was not modified. We disagree with the statement that the agency used NIST 800-\n53A criteria in completing the self assessments. There is almost no mention of using SP 800-\n53A in any of the documentation provided by the agency regarding self-assessments. The task\norder issued to perform the self-assessments stated that the assessments should be consistent with\ndraft NIST SP 800-26 Revision 1 (including Appendix A System Questionnaire) and NIST SP\n\n\n\n                                                 72\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\n800-53 Revision 1. Draft NIST SP 800-26 Revision 1 was pulled from the NIST Web site and is\nnot even considered a draft any more. The only SP 800-26 Revision 1 document still on the\nNIST Web site is the questionnaire from the original SP 800-26 with mappings to the controls in\nSP 800-53. The task order mentions the use of SP 800-53A, but only once. The task order\nprimarily focuses on the use of SP 800-26. The task order also mentions the NRC System ST&E\nplan template, which does not seem to have been used at all during the self-assessments. The\nagency also provided a self-assessment overview document. In the section on the self-\nassessment process, the methodology the agency planned on using was described as the \xe2\x80\x9cself-\nassessment approach of measuring progress by levels of effectiveness \xe2\x80\xa6 continues to follow the\nNIST SP 800-26 guidance.\xe2\x80\x9d This document makes no mention of using SP 800-53A, and the\nprocess described in this document is the methodology described in SP 800-26. It is not the SP\n800-53A methodology. The actual self-assessments also make no mention of using SP 800-53A.\nThey state that the self-assessments were based on NIST SP-800-26 dated April 2005. It is also\nnot the case that no other format was specified, other than the sample reporting template in SP\n800-53A. As stated in this report, NIST issued a memorandum for the record in February 2007\n(updated in May 2007), that included as an attachment a security controls assessment form,\nwhich replaces the form contained in NIST SP 800-26, and provides a standard methodology for\ncapturing the results of system-level security control assessments. The form from SP 800-100\nthat the agency references in their comments is for assessing an information security program,\nand it not intended to be used to assess an individual system. While it is true that controls used\nin the self assessments are the controls found in NIST SP 800-53A, the issue is not with the\ncontrols that were evaluated, but with the methodology used to evaluate them. The agency has\nnot provided any documentation that demonstrates that the methodology described in SP 800-\n53A was used to conduct the self-assessments.\n\n4. Agree. Some were based on revised Sec Cats that have been submitted but not approved to\n   date.\n\nNo changes to the report were necessary.\n\n5. Agree, if language concerning \xe2\x80\x9cfree from errors and inconsistencies\xe2\x80\x9d is dropped.\n\nThe recommendation was modified as suggested.\n\n6. Agree, written comments will provide some updates.\n\nNo changes to the report were necessary.\n\n7. Agree. Staff has been requesting copies as Authorities to Operate are being worked.\n\nRecommendation 7 was modified to incorporate the intent of recommendations 8 and 9.\nRecommendations 8 and 9 were removed from the report.\n\n8. Agree, if the language is revised to recommend \xe2\x80\x9cmaintaining evidence that self assessments\n   were completed\xe2\x80\x9d vs. having copies of self assessments. Agencies will not provide copies of\n   self assessments.\n\n\n\n                                                73\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\n\n\nRecommendation 7 was modified to incorporate the intent of recommendations 8 and 9.\nRecommendations 8 and 9 were removed from the report.\n\n9. Agree, if the language is revised to recommend \xe2\x80\x9cmaintaining evidence that contingency plan\n   tests were completed\xe2\x80\x9d vs. having copies of self assessments. Agencies will not provide copies\n   of test results.\n\nRecommendation 7 was modified to incorporate the intent of recommendations 8 and 9.\nRecommendations 8 and 9 were removed from the report.\n\n10. Agree. This was addressed in a recent update to the previous report.\n\nNo changes to the report were necessary.\n\n11. Addressed in an update to the previous report. Under the current approach, there is no\n    system called Network Continuity of Operations.\n\nThe recommendation was modified to reflect the fact that there is no system called Network\nContinuity of Operations, but that the security categorizations of the general support systems into\nwhich the Network Continuity of Operations components have been incorporated have not all\nbeen updated.\n\n12. Agree.\n\nNo changes to the report were necessary.\n\n13. Agree, if language concerning \xe2\x80\x9cfree from errors and inconsistencies\xe2\x80\x9d is dropped.\n\nThe recommendation was modified as suggested.\n\n14. Agree.\n\nNo changes to the report were necessary.\n\n15. While we agree with the recommendation, we believe the current approach is consistent with\n    the resources available. The most important controls were tested.\n\nNo changes to the report were necessary.\n\n16. Agree. Procedures are in development and contracts are being developed to provide the\n    training, starting with system administrators and system security officers.\n\nNo changes to the report were necessary.\n\n\n\n\n                                                74\n\x0c                                                                             Independent Evaluation of\n                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\n17. Please change the language to read \xe2\x80\x9cReview and update the remaining two e-Authentication\n    risk assessments as specified in recommendation 8 of OIG-05-A-21 to correct inaccuracies\n    and inconsistencies with FIPS 199 security categorizations.\xe2\x80\x9d\n\nRecommendation 17 was removed from the report, and incorporated into recommendation 18\n(which is now recommendation 15).\n\n18. Agree.\n\nNo changes to the report were necessary.\n\nAdditional Comments\n\n1. Line 320. Status of Security Plan Documentation\n\n   Notes that the agency updated security plans for 5 of the agency\xe2\x80\x99s 30 operational systems.\n   The list did not include the Licensing Support Network (LSN). The LSN Security Plan is in\n   ADAMS (ML072340242) and its revision history indicates an Initial Release existed at the\n   time of the evaluation:\n\n       Date       Version Description                               Author\n       8/17/2007 1.1      Updated to reflect findings from Security MAR, Incorporated\n                          Test and Evaluation conducted by\n                          Atomic Safety and Licensing Board\n                          Panel (ASLBP) and AT&T Government\n                          Solutions\n       6/11 /2007 1.0     Initial Release                           MAR, Incorporated\n\n   Accordingly, we believe that the LSN should have been included in the list for which\n   new/updated Security Plans were developed during Fiscal Year (FY) 2007. Please include\n   this in your numbers.\n\nThe report was modified as suggested. However, it should be noted that the security plan was\nnot provided by the cutoff date established at the entrance conference. While the update may\nhave occurred August 17, 2007, the document was not placed in ADAMS until August 24, 2007,\nwhich was after the cutoff date established at the entrance conference. The agency also did not\ninclude this security plan in metrics it provided to the OIG with the 4th Quarter FY 2007\nPOA&M submission.\n\n2. Line 341. We suggest that the sentence be amended (in italics) to read \xe2\x80\x9cAnnual contingency\n   plan testing is still not being performed for all systems.\xe2\x80\x9d On page 22, beginning on line 863,\n   it is indicated that contingency plan testing has been conducted for some systems.\n\nThe report was modified as suggested.\n\n3. Line 471. Security Categorization for the LSN Exhibit 53 Issue.\n\n\n                                               75\n\x0c                                                                             Independent Evaluation of\n                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\n\n\n   Page 9, Finding A\n   Identifies the LSN as having a security categorization that did not reflect the primary\n   business area, primary line of business, and/or primary sub-function of those systems as\n   indicated on the Exhibit 53.\n\n   Agreed as factual, however, there is no requirement for reconciliation between the Sec Cat\n   and the Exhibit 300 and we believe this finding should be deleted.\n\nThe report was modified to remove LSN as an example of a security categorization that is\ninconsistent with the Exhibit 53. The agency\xe2\x80\x99s rationale (item 4 below) is sufficient to explain\nthe inconsistency. However, the overall finding was not deleted as suggested. See our response\nto the agency\xe2\x80\x99s comments on recommendation #1.\n\n4. Line 501. National Institute of Standards and Technology (NIST) Information Type Issue.\n\n   Page 10, Finding A\n   Asserts that the Information Type in the Security Categorization does not even reflect the\n   actual mission of the system.\n\n   Since June 2004, ASLBP, the Office of Information Services (OIS), and the contractor teams\n   working on LSN Certification and Accreditation (C&A) efforts have struggled with the\n   failure of NIST to address portal and text indexing environments in NIST 800-60 and the\n   intermittent spidering and data extraction that is a different paradigm than peer-to-peer data\n   sharing as described in SP 800-47.\n\n   The description in NIST 800-60 at page 229 is as follows (with emphasis added):\n\n       \xe2\x80\x9cD.22.4 Information Infrastructure Management Information Type Information\n       Infrastructure Management involves the management and stewardship of a type of\n       information by the Federal Government and/or the creation of physical communication\n       infrastructures on behalf of the public in order to facilitate communication. This includes\n       the management of large amounts of information (e.g., environmental and weather data,\n       criminal records, etc.), the creation of information and data standards relating to a\n       specific type of information (patient records), and the creation and management of\n       physical communication infrastructures (networks) on behalf of the public.\xe2\x80\x9d\n\n   The recommended provisional security categorization for the information infrastructure\n   maintenance information type is as follows: Security Category = {(confidentiality, Low),\n   (integrity, Low), (availability, Low)}.\n\n   The information content in the LSN system is almost a precise match for this description.\n   Excluding help pages, the LSN is a network comprised of: (1) a Commercial Off-the-Shelf\n   (COTS) full text search engine (2), \xe2\x80\x9cSpidering\xe2\x80\x9d software, and (3) indexes.\n\n\n\n\n                                               76\n\x0c                                                                                            Independent Evaluation of\n                                                                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\n       The role of the LSN Administrator as defined in 10 CFR Part 2, Subpart J is the role of a\n       manager and independent steward. The LSN is a network of 14 interconnected computer\n       systems, only two of which are federal. The system is publicly accessible, without access\n       controls, via the internet. The user community is comprised of non-government and\n       government users. It facilitates the identification, search and retrieval of information. It\n       contains a large amount of information. The system mission is outlined in 10 CFR Part 2,\n       Subpart J and the data content specifically represents and precisely fulfills the requirement\n       at 10 CFR \xc2\xa7 2.1011 (b)(2)(i). The system follows information and data standards defined by\n       NRC at 10 CFR \xc2\xa7 2.1011 (b)(2)(ii) et seq.\n\n       The specific type of information to be included, as well as information to be excluded, is\n       described in 10 CFR \xc2\xa7 2.1003 and \xc2\xa7 2.1005. NRC created and manages the central indexing\n       system, web hosting, and telecommunications infrastructure that enables the system.\n\n       The information type described in NIST 800-60 as quoted above, objectively read, matches\n       the mission and operation of the LSN. It is acknowledged that it is outside the construct of\n       \xe2\x80\x9cpublic goods construction\xe2\x80\x9d but ASLBP did not craft the taxonomic structure of the NIST\n       guidance or have an opportunity to bring this particular shortcoming, or the lack of\n       adequate coverage for portals and web indexes in general, to their attention. Conversely, it\n       is arguable that classifying the information type per NIST 800-60, Section D.17.1 Judicial\n       Hearings Information Type29 is inappropriate because document discovery is typically\n       transacted between parties and external to the agency\xe2\x80\x99s adjudicatory process.\n\n       Finally, the Independent Evaluation recommends using the \xe2\x80\x9cpermits and licensing\n       information type under the regulatory and compliance enforcement line of business.\xe2\x80\x9d\n       ASLBP agrees to explore adding this to the information type discussion in the LSN system\n       documentation, but notes that per the discussion in NIST 800-60 for the Permits and\n       Licensing Information Type,30 the recommended security categorization would continue to be\n       \xe2\x80\x9cSecurity Category = {(confidentiality, Low), (integrity, Low), (availability, Low)}.\xe2\x80\x9d We\n       believe that the narrative regarding the LSN\xe2\x80\x99s current information type categorization not\n       reflecting the risk impact to the agency should be removed as a finding.\n\nThe report was modified to remove LSN as an example of a security categorization that is\ninconsistent with the Exhibit 53, including the discussion of alternative information types for that\nsystem. The agency\xe2\x80\x99s rationale is sufficient to explain their choices in determining the system\xe2\x80\x99s\ninformation type. However, the overall finding was not deleted as suggested. See our response\nto the agency\xe2\x80\x99s comments on recommendation #1.\n\n5. Lines 563-570. This seems to contradict the earlier sentences (541-553) \xe2\x80\x9cCategorize all\n   NRC information systems, including systems operated by a contractor or other organization\n   on behalf of the agency, in accordance with Federal Information Processing Standards\n   (FIPS) 199.\xe2\x80\x9d If this sentence means to have up-to-date security documentation from the\n\n\n29\n     Judicial hearings include activities associated with conducting a hearing in a court of law to settle a dispute.\n30\n     Permits and Licensing involves activities associated with granting, revoking, and the overall management of the\n     documented authority necessary to perform a regulated task or function.\n\n\n                                                            77\n\x0c                                                                               Independent Evaluation of\n                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\n   systems operated by other organizations on behalf of the agency, it should be more clear and\n   concise in meaning.\n\nThe report was modified to remove the discussion regarding performing security categorizations\nfor systems that are not major applications or general support systems, or are operated by other\nFederal agencies. Minor modifications were made to the recommendation to make it clear that\nthe agency should complete the security categorization of all their major applications and general\nsupport systems.\n\n6. Lines 621-622. Please examine the sentence as the phrase \xe2\x80\x9c..., but less than annually"\n   should probably read \xe2\x80\x9c..., but no less than annually\xe2\x80\x9d as it does in line 675 on page 16.\n\nThe report was modified to read \xe2\x80\x9cbut not less than annually.\xe2\x80\x9d\n\n7. Lines 653-662. The Office of Administration (ADM) has received the annual security control\n   testing and evaluation for FPDS-NG. The document is dated May 24, 2007.\n\nThe report was not modified. The agency provided a certification memorandum for FPDS-NG\nthat supports the statement that security control testing and evaluation for FPDS-NG was\ncompleted in FY 2007. However, the agency could not demonstrate that this system has been\naccredited (and therefore, that the designated approving authority for that system approved the\ntesting and evaluation). Therefore, it was not included in the total number of contractor systems\nfor which security controls have been tested and evaluated in the past year.\n\n8. Lines 711-716. The bullets do not fully describe that \xe2\x80\x9cfor 2 operational systems, the FEES\n   and HRMS, additional evaluations were conducted to validate that controls were\n   implemented and to assess compensating controls, even though policies and procedures may\n   not have been fully in place.\xe2\x80\x9d We request this sentence be updated in the report.\n\nThe report was not modified. We acknowledge that the self-assessments for the two systems\nnoted above include descriptions of controls in place in the \xe2\x80\x9cComments\xe2\x80\x9d column, and that they\nalso include, where needed, a discussion of compensating controls. However, there is no\nevidence that additional evaluations were conducted to obtain this information. The presence of\nthe additional information in the self-assessments does not clearly demonstrate that additional\nevaluations were conducted. The self-assessments only mention document reviews and\ninterviews as methods used to conduct the self-assessments.\n\n9. Lines 727 and 728. We do not agree with the sentence \xe2\x80\x9cFor example, if a control had\n   policies, but no procedures, then the implementation of that control was never evaluated,\n   even if the control was actually implemented.\xe2\x80\x9d We suggest adding the following (in italics):\n   \xe2\x80\x9cFor example, except for 2 systems (FEES and HRMS), if a control had policies\xe2\x80\xa6\xe2\x80\x9d\n\nThe report was modified to state \xe2\x80\x9cthen the implementation of that control was, in most cases,\nnever evaluated.\xe2\x80\x9d\n\n\n\n\n                                                78\n\x0c                                                                             Independent Evaluation of\n                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\n10. Lines 783-792. Integrated Personnel Security System (IPSS) discussions occurred between\n    ADM and OIS and it was determined that the system had originally been listed as a high-\n    impact security control baseline and that it should be a moderate-impact security control\n    baseline. This was discussed during the self-assessment interview, but there was no area in\n    the self-assessment document that requested discussion for the change. The IPSS Security\n    Categorization has gone forward from ADM to OIS for review and approval.\n\nThe report was not modified, but the agency\xe2\x80\x99s comment is noted.\n\n11. Lines 865 and 866. Please amend (in italics) the sentence to read \xe2\x80\x9c2 (FFS and FPPS) of the\n    agency\xe2\x80\x99s contractor systems, had their contingency plans tested in FY 2007.\xe2\x80\x9d A contingency\n    plan test was conducted for the FPPS on August 15, 2007, which may have been after the\n    field work was completed for this evaluation. We have requested but have not yet received\n    the test results report; however, we do have email traffic and contact names available as\n    evidence of the testing, which we can provide. Please also update the table on page 69 to\n    reflect this date, and the scheduled date for August 2008.\n\nThe metrics were modified to reflect annual contingency plan testing for FPPS. The agency\nprovided documentation that demonstrates contingency plan testing was conducted for FPPS in\nAugust 2007. It should be noted that our criteria for including contingency plan testing in the\nmetrics is that not only must the testing have occurred before the cutoff date established at the\nentrance conference, but the test report results must also have been submitted to and approved by\nthe agency prior to or on the cutoff date. We do not count contingency plan tests that are not\nsupported by a test report that has been approved by the agency. It should also be noted that the\nagency did not count annual security control testing for FPPS in the metrics it provided to the\nOIG with the 4th Quarter FY 2007 POA&M submission.\n\n12. Lines 887-907. IPSS has not had a planned contingency plan test done since 2004.\n    However, the contingency plan has been tested in actual operations six times since that\n    period due to system outages for upgrades or maintenance. In each case implementation of\n    the contingency plan was successful and no deficiencies were identified. We request this\n    information be added to the report or the finding dropped.\n\nThe report was not modified as the agency has not provided any evidence to support the\nstatement that the contingency plan has been tested in actual operations due to system outages\nfor upgrades or maintenance. It should be noted that testing of a contingency plan in actual\noperations is an accepted form of contingency plan testing and can be documented in a\ncontingency plan test report. The testing of the contingency plan in actual operations would have\nbeen counted if it had been documented.\n\n13. Line 915. If bracketed items are to be carried over to the final report then \xe2\x80\x9c...[CNRWA, \xe2\x80\xa6\xe2\x80\x9d\n    should be \xe2\x80\x9c...[CNWRA,...\xe2\x80\x9d\n\nAll system names in brackets were removed from the discussion draft before the report was\nsubmitted as a final.\n\n\n\n\n                                               79\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\n14. Line 918. Contingency Plan Testing for Low Risk Systems. Pages 23, 24, Finding G\n    identifies the LSN as one of the 10 systems that did not complete contingency plan testing.\n\n   ASLBP was advised by OIS and the contractors supporting the development of the C&A\n   package for the LSN that annual contingency plan testing is not required for systems with\n   \xe2\x80\x9cLow-Low-Low\xe2\x80\x9d risk assessments, whereas the Independent Evaluation asserts that this is a\n   \xe2\x80\x9crequirement.\xe2\x80\x9d Page 3 of Annex 1 Low Impact Baseline to 800-53 specifies for control\n   family Contingency Planning, (CP-4) Contingency Plan Testing and Exercises \xe2\x80\x9cnot\n   selected.\xe2\x80\x9d Accordingly we request this finding be removed.\n\nThe report was not modified. While it is true that NIST SP 800-53 Revision 1 does not require\ncontingency plan testing (control CP-4) for low-impact systems, the agency requires contingency\nplan testing for all major applications and general support systems. This requirement can be\nfound in several documents including:\n\n   \xe2\x80\xa2   MD and Handbook 12.5, Table 3-1, page 35\n   \xe2\x80\xa2   OIS-9000D-004 Revision 0, Ensure Contingency Plans are Tested Annually for Major\n       Applications (MA) and General Support Systems (GSS), dated July 1, 2007\n   \xe2\x80\xa2   ISS-00-001 Revision 0, Annual Update of System Security Documentation for Automated\n       Information Systems, dated March 1, 2006\n   \xe2\x80\xa2   Project Management Methodology Web site, Roadmap: ISS C&A Deliverables\n\nThe agency has not provided any policies or guidance that contradicts the requirement that all\nmajor applications and general support systems, even those that are low-impact, require annual\ncontingency plan testing.\n\n15. Lines 1117-1118. \xe2\x80\x9c...the NRC the network...\xe2\x80\x9d should be \xe2\x80\x9c..the NRC network...\xe2\x80\x9d\n\nThe report was modified as suggested.\n\n16. Lines 1316-1321. Concludes that \xe2\x80\x9c\xe2\x80\xa6the certifications and accreditations for all the\n    agency\xe2\x80\x99s remaining 28 operational systems have expired.\xe2\x80\x9d For the HRMS and FEES\n    systems, as well as for other systems, new C&A activities have been conducted and are in\n    process.\n\n   We suggest adding the sentence: \xe2\x80\x9cOf these 28 systems, 14 have completed new C&A\n   activities through the security categorization, 9 have completed risk assessments, and 9 are\n   in the security plan phase.\xe2\x80\x9d\n\nThe report was not modified as suggested. The agency has not provided sufficient evidence to\nsupport the statement that new C&A activities have been conducted and are in process.\n\n17. Lines 1402-1419. The report states that the agency may not have an adequate understanding\n    of the threats, risks, and vulnerabilities for systems operating under an interim authority to\n    operate (IATO). For the FEES and HRMS systems operating under an IATO, the risks are\n\n\n\n                                                80\n\x0c                                                                           Independent Evaluation of\n                                                            NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\n   known as each have approved security categorizations and risk assessments, and security\n   plans have been prepared but are not approved. We suggest noting this in the report.\n\nThe report was modified to remove FEES and HRMS from the examples of systems that are\ncurrently operating under an IATO.\n\n18. Page 72, regarding the FEES and HRMS Plan of Action and Milestones (POA&Ms)\n\n   For the FEES System, we request additional information, as we do not have information that\n   supports the statement in the 2nd bullet. FEES POA&M weaknesses related to an IG report\n   were closed this past year, and some were closed because \xe2\x80\x9ca decision was made at the\n   agency level not to continue with the C&A on this legacy system undergoing modernization.\xe2\x80\x9d\n   Please update or remove the bullet.\n\nThe agency was provided with the specific POA&M items referred to in the 2nd bullet. The\nreport was modified to clarify the discussion of these particular POA&M items.\n\n   For the HRMS weaknesses related to the security plan and the contingency plan, these were\n   closed because an IATO was provided, and it was decided not to invest additional resources\n   in the security plan. The contingency plan has been updated and a test performed.\n   Additionally, we suggest the bullet for HRMS be amended to reflect that \xe2\x80\x9ca decision was\n   made at the agency level not to continue with the C&A on this legacy system undergoing\n   modernization.\xe2\x80\x9d\n\nThe report was modified to clarify the discussion of these particular POA&M items.\n\n19. The FEES system acronym should be used consistently throughout the document.\n\nAll system names in brackets were removed from the discussion draft before the report was\nsubmitted as a final.\n\n\n\n\n                                              81\n\x0c                                            Independent Evaluation of\n                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2007\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              82\n\x0c'